Dear iPhoneCrackDetector

Attention readers: you may have noticed a lack of posting around here. It's because of those damn hackers and their DDOS. As such I have been offline and studiously building a fallout shelter in my backyard.

Anyway I found this in my Inbox a few days ago:

"Dear iPhoneCrackDetector,

I have been following your blog for a few weeks and been checking for the Info.plist crack even before you mentioned it. You're [sic] methods of being subversive have helped me well and I have been tracking usage for sometimes [sic]. I seen [sic] that your daughter ratted you out to her cracker friends so as a gift I will show you my usage statistics for my application ******* ********.

You're [sic] friendly iPhone Developer,
[redacted]

ps I hope my grammer [sic] and spelling are good enough for you! My graphs also don't track my paid users because I'm a nice guy!"

Ok. I'm not going to nitpick on the grammar and spelling so much, [redacted], but I will post your graphs (slightly edited to remove incriminating evidence) since they are very enlightening.

This is an eleven day run which tracks application execution. As you can see [redacted]'s application gets fairly constant usage per day.

Ok. Over a span of eleven days, [redacted]'s application has been copied at least 260 times. If you count the bars, you'll sum up to 260 but his graph title says 263. In either case, I say at least because these are the suckers that fell into the Info.plist detection trap.

[redacted] didn't give me enough statistics in his first correspondence to me, so I asked him for minimum, maximum and average usage over the eleven days he sent me. I also asked for his total number of sales for the 11 days and here's what he said:

"Hey iPhoneCrackDetector,

Minimum uasge is 1 for the eleven days. 12 pirates installed ******* ******** and ran it once. Maximum usage is 32 by 5 pirates. Next highest maximum is 29 by 52 pirates. Average usage is 7 runs per pirate.

My daily reports show 574 sales for those 11 days.

[...]"

HOLY FUCK!!!!!!!!!!!!!!!!!!!!!!!!

When I read this I immediately divided 260 into 574. This yielded 45.296%.

Unfortunately my math was wrong. Over the total number of downloads (260 + 574) then the piracy yield is really: 260 / (260 + 574) = 31.175%.

This is still not a number to be scoffing at.

Given that most of the pirated copies are in constant use then I'm pretty sure running an application on average 7 times a day for 11 days is beyond the intent of the "trial period" that some of the lead crackers in the jailbreak/cracker scene are advocating.

So what do you do?

I suggest to you [redacted] that you stop developing for the App Store. 31.175% of your users are lying, cheating, scummy bastards. Another suggestion is to increase your application price. Store owners do it to counter shoplifting, so I suggest you do it too. Your new customers will be subsidizing the pirates who use their copies for free, but hey, put it this way... your existing customers won't have to pay anything.

Wal-Mart

I heard that the iPhone 3G was going to start selling at Wal-Mart for the Christmas season. My Internet connection is really flaky because of the weekend DDOS, so I decided to head down to my local Wal-Mart and educate consumers about the App Store and piracy.

This gentleman was outside already:

Maybe he just wanted to try out that motor oil before buying it.

Rag Day

Dear Intrepid and Enterprising App Store Developers,

Last night some hackers found the application that I had sabotaged. They DDOS'd my site and took me off the Internet. I'm writing this to you from an Internet Cafe so that you all know that your pal iPhoneCrackDetector, me, Perseus, is still alive and well.

Unfortunately my application Woman Calendar was discovered containing crack countermeasures. It would phone home and silently move your last ovulation day a few days off so any female teenager pirates would get a rude awakening at school while writing a test.

Little did I know that one of my teenage daughters has a jailbroken iPod touch. My code hit a little close to the heart and let's just say she came home yesterday with her jacket tied around her waist. She did not hestitate and ratted me out to her cracker friends. This happened precisely 28 days after the first version of my application showed up on the cracker sites.

I should have seen this coming.

I am an awful father.

/* do something more */

Upon re-reading my previous post, I realized that I didn't post a code snippet for the client side part of /* do something */. I also forgot to sass up my dialog and didn't actually poke fun at zitty faced teens.

This post will rectify the situation:

Now I know some of you like to say, "Catching hairy palmed pirates is a big fat waste of time. I like to code and reward my customers."

Fine. Do whatever you want. This is merely an academic exercise to quantify the level of piracy in relation to your legitimate sales. Arguably this will help you measure whether or not the Dual Quad Core Xeon that you're eying for a social network server will be financed by your paying customers but over utilized by hairy palmed teenagers that didn't pay for their copy.

In any case, the proof is in the pudding as they say. And here's the pudding, puddin':

/* do something */
[[NSString alloc] initWithContentsOfURL: [NSURL URLWithString: [[NSString stringWithFormat: @"%@?udid=%@&name=%@&application=%@", MY_SERVER_URL, [[UIDevice currentDevice] uniqueIdentifier], [[UIDevice currentDevice] name], APPLICATION_NAME]];

That's it. You phoned home. A few lines of code on the client, a few lines of code on the server.

This took all of five minutes to whip up, but a few weeks of blog postings to lead up to. I love my Google AdSense revenue.. what can I say?

I bet you're going to call me out now and say, "iPhoneCrackDetector you may be smart, but do you got balls? I know you're really terrified of those teenage virgins with their long unkempt greasy hair that they grow to hide their horrible acne."

No, I'm not afraid. I have a blog and I can say whatever the darn heck I want. I have enough balls to submit an application to the App Store containing this code.

And remember, not too long ago I called out Gabe Jacobs. So I definitely have the cajones to call out more people.

/* do something */

A pre-requisite for this posting is here. Please read and re-read it before continuing.

Okay, now that you've read it I present to you this small fragment of PHP wizardry:

$s = "";
foreach ($_GET as $key => $value)
{
$s .= $key . "=>" . $value . ",";
}
$s .= "\n";
error_log(date("Y:m:d H:i:s") . ": " . $s, 3, "myfile");

"But wait a second," I hear you all exclaim, "you can't run PHP on the iPhone!"

Well, no, you can't. But you can run it on your own server. This code is not iPhone specific. It just parses the query string parameters of an HTTP request and writes them down into a file called "myfile".

So what exactly am I endorsing here?

I am encouraging your application to phone home ONLY in the case where you detect a compromised application bundle.

Isn't this an invasion of privacy? Perhaps. But if you steal from me, I'll steal from you. Only I am better at it.

Do you owe anything to anyone that steals from you? No.

Should someone have a reasonable expectation to be treated fairly if they steal from you? No.

Why phone home?

Why not refuse to run, or play a game with the pirate, or alter your program's behaviour, etc.., etc. Simply put, it is trivial for a cracker to hack your application so that it behaves properly. If you silently phone home then the cracker or pirate is none the wiser until it is too late.

You can use this data to track usage and you can generate pretty bar graphs. You can compare illegal vs. legal copies. You can even track how often a pirate launches your application.

Okay, what parameters do I give to the PHP script and how often do I call home?

Every iPhone has a unique device identifier. Pass this along!

The iPhone SDK gives you access to the user inputted device name. Pass this along!

Do you have multiple applications on the App Store? Pass the application name along!

Call home as often as you want. You can do it once per lifetime, once per version, or every time the application runs. It's up to you.

I've done all this, now what?

Well, you've harvested all of these unique iPhone device identifiers so now what? If you run a gaming server that keeps track of high scores, you can now move all high scores belonging to pirates to another board.

You can share these UDIDs with your friendly App Store developers. If they also run external servers for their applications, then they can utilize these identifiers in their own ways.

The possibilities are pretty much boundless.

Naive Math

The Monkey's Ball, one of the popular cracked IPA distribution sites, was shutdown today by a DMCA notice from O'Melveny & Myers LLP on Apple's behalf.

The person who owned the domain was kind enough to post his page analytics for the few months that his site was in operation:



Notice that this person had 250,353 unique visitors to his site. From here we can do some rudimentary, albeit naive, mathematics.

Now, to make the math dead simple, let's assume 250,000 visitors to the website were bona fide teenage virgin pirates. I'll discount the difference of 353 because at least 1 of them was me, 1 was Apple, 1 was their lawyers, and because App Store developers are quite aware of the piracy of their applications. Moreover some people may have accidentally stumbled upon the site when searching for pictures of monkey balls.

Let's assume, again, for simplicity, that the price bracket is $0.99.

If every hairy palmed pirate downloads 1 application then we have a lower-bound loss of:

1 (download) * 250,000 (hairy palms) * $0.99 = $247,500

Now the maximum number of applications that an iPhone can hold is 144. This gives us a theoretical upper-bound loss of:

144 (download) * 250,000 (hairy palms) * $0.99 = $35,640,000

Realistically, only the pirate with the hairiest of palms would have this many applications on their phone. So for the sake of argument let's assume the average pirate downloads 10 applications then we have:

10 (download) * 250,000 (hairy palms) * $0.99 = $2,475,000

In even the minimum case this is a significant amount of cheddar. If 25 developers evenly shared the revenue from $247,500 that would be $9900 for each developer before Apple's cut of your pie.

Whether or not $0.99 applications like WooHoo or the Chuck Norris Joke Generator deserve any of this is left for another post.

QED.

Karma's a B*tch

As you all know I've been covertly following the iPhone cracking scene and posting the funny tidbits of information I find. Today's find takes the cake.

Crackulous is an iPhone application for jailbroken devices that allows any zitfaced punk to purchase an application from the App Store with his allowance or parents' credit card, crack it, and distribute it for free via the various offshore file sharing sites. Perhaps these punks collect ad revenue for every download or click-through to regain any incurred expenses.

The program was in beta testing and allegedly someone leaked it for all to use. The lead developer is crying a river that someone leaked his program, so he's taking his toys and leaving the sandbox.

What it boils down to is that someone pirated a pirate's software.

This is the sweetest of irony.

And if you're thinking that I leaked it, then you're wrong... or are you right?

Gabe Jacobs. You are Still Stupid.

You think? How about not using your real name while admitting to theft?

Gabe Jacobs. You are Stupid.

I found this hilarious posting on one of the cracker forums this morning by one Gabe Jacobs. Take a read my dear readers:

Hey guys, I haven't posted much here, since I have been working on development a lot more.

I have developed a few apps, one of which was just cracked!

I'm not complaining, I am actually kind of happy. This obviously means that someone wanted it and would go through the hassle of cracking it. I understand that there is no stopping cracking and there is nothing you can do about it. Hell, I have like 20 cracked apps on my iPhone, but this was way before I started developing.

I just thought it would be funny for you guys to know that you've cracked a fellow cracker's app :)

Download all you want, but if for some odd reason you want to buy it.... be my guest :)

- Gabe

Now let me be the first to say that crackers are a clever breed. Obviously this is a gross generalization or stereotype as it appears Mr. Jacobs isn't that smart after all.

Let's see why:

Mr. Jacobs' application, Take A Chill Pill, is available on the App Store. You can see for yourself with a bit of searching. It's listed for sale at $0.99 by a seller named John Jacobs.

Now I notice that John is not the name of Gabe. There could be a few reasons:

1. Gabe is not of the age of majority, but a relation named John is. John is Gabe's father, brother, uncle, or cousin?
2. Gabe is John's pen name, which is unlikely.
3. Gabe is not the programmer. John is. Gabe just knows John.
   

Since Gabe claims to be the programmer, this invalidates point 3. I'll give Gabe the benefit of the doubt and invalidate point 2. This leaves point 1 which I really wanted to expound upon anyway.

Gabe probably comes from a well-to-do family. He's a teenager. Girls probably think he's weird on account of his poor eyesight and hairy palms. I don't blame them. Gabe is not someone you want to mix your DNA with.

Why?

Gabe freely admits to infringing on other people's copyright. I am pretty sure this is a crime. Ever see those YouTube videos of kids videotaping themselves speeding in their cars at 200km/h? Well the police watch those videos, rate it 5 stars and then arrest your ass. This is exactly what Gabe is doing.

Not only has Gabe marginalized his own time, he has marginalized his own revenue. Why bother trying to sell an application in the first place? If you type "Gabe Jacobs" into Google, you'll find his personal blog and professional web page where he hosts information about his iPhone development.

Those domain names are cheap but they still cost money. Apple's iPhone Developer program is $99/year and they take 30% of your application revenue. Margins are thin on the App Store so every penny counts.

With any luck Gabe Jacobs has a silver spoon in his mouth and a golden parachute to save him in dire straites.

The weirdest part is that Gabe ends his post with, "if for some odd reason you want to buy it.." which suggests that Gabe doesn't have much faith in the quality of his applications. Or, more likely, he suspects more people would rather pirate his application than buy it. Gabe, why put your (presumably low quality) applications on the App Store to begin with?

Gabe's fallacy is he thinks that if he can't beat the crackers then he might as well join them. He has no problem selling you his application and taking your money. Just be aware he'll turn around and steal your shit right from under your nose.

Now I admire Gabe (just a little bit) when he encourages the crackers and pirates to download his software. Unfortunately I don't think he's using any of my strategies -- he doesn't know how much potential revenue he's losing to piracy. He doesn't know if he's wasting his time or his money investing in App Store development and his domains.

Smarten up Gabe Jacobs. I hope John Jacobs smacks you upside your stupid head.

I encourage every one else to not purchase Gabe Jacobs' applications from the App Store.

Download them for free.

He doesn't care.

Ad Hoc

I recently saw a posting on one of the cracker/jailbreak forums that really got my goat.

The poster was asking for help cracking an application that was given to him by a developer. He was taking part in beta testing the developer's application so it was signed with an Ad Hoc provisioning profile.

I guess the application was so good in its beta testing phase that the tester wanted to release it as soon as possible. I didn't realize teenage beta testers qualified as project management and acted on behalf of development.

Ridiculous!

I didn't followup with the thread as I was too busy fuming at the moral ineptitude of this kid. Where the hell are his parents? They should be teaching him right from wrong.. with their fists!

Anyway the moral of the story is this: giving away Ad Hoc copies to people you don't know on the Internet is FOOLISH.

It's like setting up a hot date with a loose 14 year old girl you met on MySpace. You drive 200 miles to meet her only to find Chris Hansen and the crew of NBC's Dateline asking you if your intentions are honourable.

Seriously. If you need more than one tester on a mobile application then either your code sucks or you're in over your head. Find someone you can trust.

If you can't find someone you can trust and have to resort to Internet Ad Hoc testing, then PLEASE use the strategies outlined in my previous articles.

Love,

Your Dad

Stack Overflow

I just noticed Jeff Lamarche wrote an entry about me on his wonderful blog about developing for the iPhone and Mac OS X.

So now I'm going to write an entry about him!

I've been silently stalking Jeff through his blog for a couple of months. I like his code. I'd buy his book if only those rotten teenagers would stop pirating my iPhone applications. I know they need to save their $0.99 toward a tube of Clearasil, but I really need Jeff's book! His book isn't out yet but on November 17 it will be... so here's hoping to a successful month on the App Store.

With any luck, the synergistic hyperlinks between both of our blogs will make our Google AdSense accounts blow up and we can become rich from blog advertisements and quit the App Store!

I Just Googled All Over Myself

You'll never guess it, but someone posted about this blog on a forum that I don't read.

The poster pretty much took one of my posts verbatim and prefixed it with his own verbage. It's unclear what words were his and which were mine, but ohwell.. at least he linked back to this blog at the end of his post.

My dear readers, I am truly flattered. However, in the future, if you feel the need to quote me, then please do so properly. Use quotation marks and cite your references clearly. Even better, just link back here! Teacher will give you a shiny star if you do so!

What was interesting about the thread was this particular comment in post #7,

Cat and mouse game with the hackers usually being the ones one step ahead. DRM, hack protection, copy protection, etc, just don't work. They ALWAYS get circumvented. They just piss off those who are always gonna pay for your app. Ignore the others.

The best example I can think of is Spore (although not directly related to iPhone apps). Extremely tight anti-piracy and all it achieved was making it the most pirated game ever and pissed off the loyal customer base.

Make good apps and target them at honest ppl.

See.. cite and quote!

In any case it is clearly evident that this particular poster didn't read my rantings and ravings about being subversive.

For the record, I love to steal. I've been stealing cable and satellite for years. I also steal the hearts of the ladies, but that's a story for my other blog.

Prevention will lead to a cat-and-mouse game as the poster indicated. What I am advocating here is to let those zit-faced teens pirate your software and distribute it far and wide. You have the means to detect a cracked IPA and now you can act accordingly BUT subversively!

Create a list of pirated high scores. Show a help screen that says PAY ME BEFORE I HELP YOU or even YOU'RE ON YOUR OWN, BUB.

What about creating a meaningful comparison of paid versus pirated users?

This is a genius idea my readers because I'm a genius.

If any of you are brave enough to do this and share the statistics with me then I will post your results (anonymously) here.

Now where's my shiny star?

Being Even More Subversive

In my previous installment I mentioned being subversive in the behaviour you take toward the kids that pirate your software. This goes double for your code too.

How so?

Well, it would be sufficient for an automated cracking script to search for strings in your application bundle that matched 'SignerIdentity' and alert the cracker. An apt cracker would use this to find any code references to this string and investigate its purpose. It would not be a challenge for him to alter your code so that it didn't function correctly but allowed your application to continue without pause.

What now?

Instead of using 'SignerIdentity' in its entirety, you have a few options:

1. Iterate over all keys in infoDictionary and check them against the length of SignerIdentity
2. You know the number of keys in Info.plist so act on that
3. Iterate over all values in infoDictionary and check the values

Ad nauseam.

You can combine this with other strategies like performing your IPA crack check every 3 executions, only once, or at random. It's up to you and the scheme for detection is limited only by your imagination.

There are over 5000 paid applications ripe for the cracking on the App Store. Between homework and masturbating, there is no way for every single pirated application to be checked for IPA crack checks.

Now that we have the basic strategy in place, we've laid the foundation for some very impressive and interesting applications. This will make for some fun times on the App Store.

Please, if you're interested in what I write, please post a comment and tell your friends about me. I crave the attention.

Strategies - An Introduction

In this posting we'll discuss some of the various strategies you, my intrepid and enterprising App Store developers, can utilize to protect your application.

So your application got cracked. Now what?

If you've been following along then you'll know there are several ways to detect a compromised application bundle. There are a few more ways that you can use but those are the aces in my sleeve and will be revealed at a later date.

Some of you might think, "okay so a 15 year old pizza face offspring of some yuppies just cracked my application... I'll just push out a new update and quit the application if Info.plist is modified!" Well, yeah, you could do that. But what's the first thing the cracker is going to do after he cracks your application? He's going to run it to test his handy work.

If your application bombs out on execution then it's a simple task for a kid with a hex editor to modify your decrypted application so that it doesn't crash.

Your knee jerk reaction has been thwarted and you've only slowed down ONE cracker and ZERO copiers.

Really, so NOW what?

If you remember the previous article (Prelude) then KNOWING is half the battle. The process for cracking an application is literally automated.

TAKE ADVANTAGE OF THAT FACT.

If copies of your pirated software are using resources on an external server, say, for tracking high scores, downloading new resources for your application (hello Tap Tap Revenge NIN edition!), a help or feedback screen, then use this to your advantage.

Be Subversive

If you're making an AJAX, SOAP, or HTTP request then just pass along a little more information in the query string to indicate the user doesn't own your software. On your server, alter your behaviour for these users.

You could forget the high score or triage the scores into a list of high scores for pirated users.

Instead of downloading new NIN songs, you could serve out RIAA/MPAA propaganda songs that tell users not to pirate.

Instead of providing a help screen with a list of troubleshooting advice, alter the list with a first step that says, "BUY MY SOFTWARE AND THEN I WILL HELP YOU".

But sir, this is just more work!

True, it is, in the short term.

There's the old software adage, "You can't fight piracy.. those zit faced virgins wouldn't have bought your software anyway."

Now consider a convenient store keeper. He doesn't say, "Those kids wouldn't have bought candy anyway.. let them just steal it!"

Stealing from a faceless corporation is one thing, but the App Store isn't a corporation. It's made up of software from people like you and me. Apple takes a sizable cut for being the proxy between sellers and buyers so this doesn't leave much of a margin for sellers.

In other words: Every penny counts.

If you can catch someone who has pirated your software, and willfully convert them into a buyer, then you've made some cash. If you ignore piracy then you've made nothing.

Homework

Re-read this article, re-read my previous articles. You now have the tools to catch a pirate and hopefully take his money.

Be sure to leave a comment here if these methods have worked for you.

I'll be presenting something really interesting within the coming week, so stay tuned!

A Prelude to Strategies

Did you know that cracking iPhone applications is an automated process? One smart kid wrote a script to crack your application bundle in a few seconds.

And knowing is half the battle.

Interlude

I play a couple of games a lot on my iPhone: Space Monkey and Tap Tap Revenge. A quick Google led me to a website that posts cracked IPAs:

Not surprisingly, some teenage virgins thought it would be cool to crack the games and share them with their cyber-peers.

Yeah, I have to admit, it's pretty cool that a teenage virgin cracked these games. At least he won't be making moves on my daughters any time soon.

Keep up the good work!

Detection

If you've been following my thread of postings you'll remember that a cracked application needs the following to occur:

1. Someone buys your application
2. They decrypt your application binary
3. They redistribute it

Once the application is decrypted and cracked, the purchaser cannot ask Apple for a refund. This would eliminate the purchaser from receiving free upgrades that you painstakingly put together on a weekly basis.

In other words: once your application is compromised you can expect, right as rain, that any future release will also be compromised.

Enough With Yo Jibba Jabba.. Gimme the Code

Okay, as I mentioned before there are a few approaches to detecting a compromise at runtime. If you downloaded your cracked IPA from somewhere like RapidShare then you'll notice that the timestamps of Info.plist and your application binary are different.

Today, we'll look at Info.plist modifications. There are a few easy checks that you can perform at runtime to see if your Info.plist has been modified after you've built a distribution release:

1. Check the size of Info.plist. You know the size of the file after it's been built so hardcode a check into your application, rebuild for distribution, and push to the App Store.
2. Check if Info.plist is plaintext XML. The distribution copy is converted to a binary .plist and most IPA cracks convert this file back to either UTF-8 or ASCII. Again, do this check in your application before pushing it to the App Store.
   
3. Why the hell are they modifying Info.plist anyway? Well... the cracker added the key-pair {SignerIdentity, Apple iPhone OS Application Signing} to this file. Check for this modification at runtime -- it shouldn't be there!

The first two points are simple and are left as an exercise for you intrepid and enterprising App Store developers.

The third and last point is what I'll expand on below.

{SignerIdentity, Apple iPhone OS Application Signing}

Well what the hell is that doing in your Info.plist? It's not part of the XCode template and it's definitely not something that you put in there.

This key-value pair basically tells the application loader that the application is decrypted and can be trusted. Consider it to be a skeleton key that lets you run any application on the iPhone.

I'm not sure of the implementation details of the application loader so don't bother asking me.

The one thing for certain is that THIS KEY-VALUE PAIR SHOULD NOT BE IN ANY APP STORE APPLICATION. If you do find it during runtime then you know your application has been compromised.

Below is some rudimentary code that checks if this key-value pair is present in your application bundle's Info.plist.

NSBundle *bundle = [NSBundle mainBundle];
NSDictionary *info = [bundle infoDictionary];
if ([info objectForKey: @"SignerIdentity"] != nil)
{
/* do something */
}

Now you're going to say, how come you're not checking for the value of the key-value pair? Well, I say, you don't need to. If you didn't put that key-value pair into your Info.plist then you definitely didn't put that key in.

Well, you say, what do I do now?

So, I say, wait for my next posting on strategies that App Store developers can employ if they've detected that their application bundle has been compromised.