Saturday, November 1, 2008

Detection

If you've been following my thread of postings you'll remember that a cracked application needs the following to occur:
  1. Someone buys your application
  2. They decrypt your application binary
  3. They redistribute it
Once the application is decrypted and cracked, the purchaser cannot ask Apple for a refund. This would eliminate the purchaser from receiving free upgrades that you painstakingly put together on a weekly basis.

In other words: once your application is compromised you can expect, right as rain, that any future release will also be compromised.

Enough With Yo Jibba Jabba.. Gimme the Code

Okay, as I mentioned before there are a few approaches to detecting a compromise at runtime. If you downloaded your cracked IPA from somewhere like RapidShare then you'll notice that the timestamps of Info.plist and your application binary are different.

Today, we'll look at Info.plist modifications. There are a few easy checks that you can perform at runtime to see if your Info.plist has been modified after you've built a distribution release:
  1. Check the size of Info.plist. You know the size of the file after it's been built so hardcode a check into your application, rebuild for distribution, and push to the App Store.
  2. Check if Info.plist is plaintext XML. The distribution copy is converted to a binary .plist and most IPA cracks convert this file back to either UTF-8 or ASCII. Again, do this check in your application before pushing it to the App Store.
  3. Why the hell are they modifying Info.plist anyway? Well... the cracker added the key-pair {SignerIdentity, Apple iPhone OS Application Signing} to this file. Check for this modification at runtime -- it shouldn't be there!
The first two points are simple and are left as an exercise for you intrepid and enterprising App Store developers.

The third and last point is what I'll expand on below.

{SignerIdentity, Apple iPhone OS Application Signing}

Well what the hell is that doing in your Info.plist? It's not part of the XCode template and it's definitely not something that you put in there.

This key-value pair basically tells the application loader that the application is decrypted and can be trusted. Consider it to be a skeleton key that lets you run any application on the iPhone.

I'm not sure of the implementation details of the application loader so don't bother asking me.

The one thing for certain is that THIS KEY-VALUE PAIR SHOULD NOT BE IN ANY APP STORE APPLICATION. If you do find it during runtime then you know your application has been compromised.

Below is some rudimentary code that checks if this key-value pair is present in your application bundle's Info.plist.

NSBundle *bundle = [NSBundle mainBundle];
NSDictionary *info = [bundle infoDictionary];
if ([info objectForKey: @"SignerIdentity"] != nil)
{
/* do something */
}
Now you're going to say, how come you're not checking for the value of the key-value pair? Well, I say, you don't need to. If you didn't put that key-value pair into your Info.plist then you definitely didn't put that key in.

Well, you say, what do I do now?

So, I say, wait for my next posting on strategies that App Store developers can employ if they've detected that their application bundle has been compromised.

218 comments:

«Oldest   ‹Older   201 – 218 of 218
Candy Sim said...

This is one of the cult game now, a lot of people enjoy playing them . Also you can refer to the game :
gold mine strike | pokemon go 2
The game controls are shown just under . Movement mechanisms primarily include acceleration and tilting controls.
stickman games | stick war 2 | animal jam 2

Yulianti Yuli said...

Thank for information, I will keep this blog to get more information about the
Khasiat Lengkap QnC Jelly Gamat
Cara Pemesanan QnC Jelly Gamat
Aturan Konsumsi QnC Jelly Gamat
Testimoni QnC Jelly Gamat QnC
Jadwal Pengiriman Barang

Cute Soc said...

To be able to participate in free online games. You can click here to play always.
gun mayhem | can your pet
learn to fly | happy wheels
tank trouble 3

Keylie Rifadock said...

obat herbal kanker prostat stadium 4
cara menyembuhkan detak jantung lemah
rambut jagung luruhkan batu empedu
cara menyembuhkan penyakit rhinitis

söve said...

Thanks.

http://www.straforevi.com/
http://www.straforevi.com/urunler/maket-pasta/
http://www.straforevi.com/urunler/maket-pasta/maket-pasta-macaron-strafor-kule/
http://www.straforevi.com/urunler/maket-pasta/strafor-pasta-altligi/
http://www.straforevi.com/urunler/maket-pasta/pasta-altligi/

söve said...

Thanks.

maket pasta
strafor kesim

söve said...

maket pasta
strafor kesim
Thanks.

AN NETWR said...

Great Sharing also visit Winrar 32 filehippo website for All Latest and New Softwares.

Marc said...

thanks for sharing.. and very useful
your website came up, it looks good.
I’ve bookmarked it in my google bookmarks.

filepuma

filepuma Site said...

thanks for sharing...


google chrome

z toko said...

The information and the detail were just perfect. I think that your perspective is deep, it’s just well thought out and really fantastic to see someone who knows how to put these thoughts down so well.
sendal online
sandal model terbaru

Tek Parça Film izle said...

En güzel istanbul travestileri Bu Sitede Yer Almaktadır

Tek Parça Film izle said...

En güzel istanbul travestileri Bu Sitede Yer Almaktadır

z toko said...

I’m looking produk sandal kulit asli buatan handmade
towards that which you ought to share. Pleased to see you blogging once again.
memilih sandal berkualitas

Marjinal Partner said...

Son zamanların en popüler sakarya travesti resim, haber ve video paylaşım platformu.

Marjinal Partner said...
This comment has been removed by the author.
Tek Parça Film izle said...

Son zamanların en popüler sakarya travesti resim, haber ve video paylaşım platformu.

Jhoni said...

viel danken mir für geben Informationen sehr nützlich und in diesem Artikel Erstellen von professionellen Admin......

car and driver

«Oldest ‹Older   201 – 218 of 218   Newer› Newest»