- Someone buys your application
- They decrypt your application binary
- They redistribute it
In other words: once your application is compromised you can expect, right as rain, that any future release will also be compromised.
Enough With Yo Jibba Jabba.. Gimme the Code
Okay, as I mentioned before there are a few approaches to detecting a compromise at runtime. If you downloaded your cracked IPA from somewhere like RapidShare then you'll notice that the timestamps of Info.plist and your application binary are different.
Today, we'll look at Info.plist modifications. There are a few easy checks that you can perform at runtime to see if your Info.plist has been modified after you've built a distribution release:
- Check the size of Info.plist. You know the size of the file after it's been built so hardcode a check into your application, rebuild for distribution, and push to the App Store.
- Check if Info.plist is plaintext XML. The distribution copy is converted to a binary .plist and most IPA cracks convert this file back to either UTF-8 or ASCII. Again, do this check in your application before pushing it to the App Store.
- Why the hell are they modifying Info.plist anyway? Well... the cracker added the key-pair {SignerIdentity, Apple iPhone OS Application Signing} to this file. Check for this modification at runtime -- it shouldn't be there!
The third and last point is what I'll expand on below.
{SignerIdentity, Apple iPhone OS Application Signing}
Well what the hell is that doing in your Info.plist? It's not part of the XCode template and it's definitely not something that you put in there.
This key-value pair basically tells the application loader that the application is decrypted and can be trusted. Consider it to be a skeleton key that lets you run any application on the iPhone.
I'm not sure of the implementation details of the application loader so don't bother asking me.
The one thing for certain is that THIS KEY-VALUE PAIR SHOULD NOT BE IN ANY APP STORE APPLICATION. If you do find it during runtime then you know your application has been compromised.
Below is some rudimentary code that checks if this key-value pair is present in your application bundle's Info.plist.
Now you're going to say, how come you're not checking for the value of the key-value pair? Well, I say, you don't need to. If you didn't put that key-value pair into your Info.plist then you definitely didn't put that key in.
NSBundle *bundle = [NSBundle mainBundle];
NSDictionary *info = [bundle infoDictionary];
if ([info objectForKey: @"SignerIdentity"] != nil)
{
/* do something */
}
Well, you say, what do I do now?
So, I say, wait for my next posting on strategies that App Store developers can employ if they've detected that their application bundle has been compromised.
10 comments:
I for one like this idea and will immediately begin utilizing it....I haven't done any searching but I do intend to see if my apps have been cracked.
THANK YOU.
Good information.
Thanks
I packaged these and a couple more checks into a handy package named AntiCrack.
Real life has shown that it is tedious having to find out the byte size and number of lines in info.plist as they change depending on OS/SDK version and build settings.
Contact me if you are interested: oliver@drobnik.com
regards
Oliver Drobnik
We are sell wow gold and wow power leveling wow gold
Do not mean bad.Thank you so much! I just want to show some fashion wedding dress to all of you. I like wedding dresses, because wedding for a girl, it is the most special day in her life. Do you want to have the beautiful wedding dresses in perfect day??
Fantastic! God bless you! Meanwhile, we have the highest quality but the lowest price fashion cheap wedding dresses. Here are the most popular designer wedding dresses and lace wedding dresses for all of you. Also the cheap evening dresses is a great choice for you. Let you dream come ture!!
Perfect!! You are a outstanding person! Do you want to wear stunning discount wedding dresses and join the party wearing beautiful cheap prom dresses?? Or you want all people's eyes can't move from you? The evening formal dresses are the best gift for you!
Best wishes for you! May be you are interested in party cocktail dresses, and you may need cheap bridesmaid dress for you special Occasions. We can provide cheap cocktail dresses, cheap flower girl dresses even the plus size wedding dresses. You can choose that you like!
Thanks a bunch for cool post, I'll implement it asap.
Regards
Does the plist file get modified for apps that are free? What about, for example, an application that is free on the App Store, but requires server billing authentication? Will the cracked iPhone still modify the plist file?
Post a Comment