Monday, February 16, 2009

Greetings and Salutations

Hello my dear and intrepid App Store Developers:

It has been a long time since I have corresponded with you. Last you heard I was on the run from a severe DDoS against the servers hosting the support webpages for my iPhone applications.

Well I'm back, bitches. As a treat, here are some UDIDs that I have harvested during my hiatus:

e83c6cf6465f259883f188f1be6703bf13f1b3f9
da68f27943894aa8fb1fe74adb7d3dcc783d5596
39871d16c7edeca24aa5ce39fe9b0e686f3629d9
00c4d632c03af97fab40060a7b29a43a9b5731aa
9e1c1ad4b4bdb83a22d81e2dc6e78be267518d19
c9cc59d14bb12d0a17ddd186affe169c839e3869
c5f1728bbdd1a7e035dfdb6375d2977fa0e6ff64
0d36017fc9232282a0a05e24aa2a131c7140d84b
c5f1728bbdd1a7e035dfdb6375d2977fa0e6ff64
94359026097e8bc58e3020c0d6485d1edc20ac8b
1743e84fe1c4fac3d916012133813240c2fad41e
c6a1d28b02eb21f5950f999c4b463e395b333231
a7d8882172888626db5ee011dec56bb8afae2769
c6a1d28b02eb21f5950f999c4b463e395b333231
761b71d068a8129f7a39071e169839588c7264aa
76766793d86efb654a43354132ee6406ba9a9977
fe8cdf141a14fa0fd32994120ce4d21ca742571e
1ab5bbefa77f6242f5409d087a2af2412f57c834
419ef8e4e248b9a65c34c500b0d265dece32f1be
b1f86da28b764586c4945e58a80557a03dae460f
2bb05f9bf8d2c4d77832f5b3507b5adf0fee83a0
29bc4f575ff52412bb8b12c7439d3fae7d917fe1
9bb1932e121a8c21f99da72c495cc8423895b918
c5f1728bbdd1a7e035dfdb6375d2977fa0e6ff64
f4138b99c5d1bf82ac76babd9c072c12a8314878
56273154b4486f627ea9c44a45341100cc2f1752
cd295071b320b9c41a69b6e3338ec6d61db46764
e2849ae3c539fff278434b426e0a505738363163
39871d16c7edeca24aa5ce39fe9b0e686f3629d9
c6a1d28b02eb21f5950f999c4b463e395b333231
3727a77568b3567c699dff94a8bf1770f3bc3e8a
e83c6cf6465f259883f188f1be6703bf13f1b3f9
115c92777b2d187e71907ee30ba6c9f93bb24a0e
a7216de8248137a9417ffbaf1a5238f9f0dbd32d
d1a33e3071b95715ce0d041d5e07ca66c2688455
9ba6c298a70b731308f3d9c2941839112b60e5cd
76766793d86efb654a43354132ee6406ba9a9977
dc1ccc6fac5c3eb67afb0b10776a09d3de92de9e
052a6d016d6d59d6c809cd2c01ebe6a9ca24550b
20a1fb9fb648b8ef45f783824ecf2c9cad380fc0

This is just a handful of the thousands that I have on file.

Sincerely,

iPhoneCrackDetector

Sunday, November 30, 2008

Dear iPhoneCrackDetector

Attention readers: you may have noticed a lack of posting around here. It's because of those damn hackers and their DDOS. As such I have been offline and studiously building a fallout shelter in my backyard.

Anyway I found this in my Inbox a few days ago:
"Dear iPhoneCrackDetector,

I have been following your blog for a few weeks and been checking for the Info.plist crack even before you mentioned it. You're [sic] methods of being subversive have helped me well and I have been tracking usage for sometimes [sic]. I seen [sic] that your daughter ratted you out to her cracker friends so as a gift I will show you my usage statistics for my application ******* ********.

You're [sic] friendly iPhone Developer,
[redacted]

ps I hope my grammer [sic] and spelling are good enough for you! My graphs also don't track my paid users because I'm a nice guy!"
Ok. I'm not going to nitpick on the grammar and spelling so much, [redacted], but I will post your graphs (slightly edited to remove incriminating evidence) since they are very enlightening.

This is an eleven day run which tracks application execution. As you can see [redacted]'s application gets fairly constant usage per day.

Ok. Over a span of eleven days, [redacted]'s application has been copied at least 260 times. If you count the bars, you'll sum up to 260 but his graph title says 263. In either case, I say at least because these are the suckers that fell into the Info.plist detection trap.

[redacted] didn't give me enough statistics in his first correspondence to me, so I asked him for minimum, maximum and average usage over the eleven days he sent me. I also asked for his total number of sales for the 11 days and here's what he said:

"Hey iPhoneCrackDetector,

Minimum uasge is 1 for the eleven days. 12 pirates installed ******* ******** and ran it once. Maximum usage is 32 by 5 pirates. Next highest maximum is 29 by 52 pirates. Average usage is 7 runs per pirate.

My daily reports show 574 sales for those 11 days.

[...]"
HOLY FUCK!!!!!!!!!!!!!!!!!!!!!!!!

When I read this I immediately divided 260 into 574. This yielded 45.296%.

Unfortunately my math was wrong. Over the total number of downloads (260 + 574) then the piracy yield is really: 260 / (260 + 574) = 31.175%.

This is still not a number to be scoffing at.

Given that most of the pirated copies are in constant use then I'm pretty sure running an application on average 7 times a day for 11 days is beyond the intent of the "trial period" that some of the lead crackers in the jailbreak/cracker scene are advocating.

So what do you do?

I suggest to you [redacted] that you stop developing for the App Store. 31.175% of your users are lying, cheating, scummy bastards. Another suggestion is to increase your application price. Store owners do it to counter shoplifting, so I suggest you do it too. Your new customers will be subsidizing the pirates who use their copies for free, but hey, put it this way... your existing customers won't have to pay anything.

Monday, November 24, 2008

Wal-Mart

I heard that the iPhone 3G was going to start selling at Wal-Mart for the Christmas season. My Internet connection is really flaky because of the weekend DDOS, so I decided to head down to my local Wal-Mart and educate consumers about the App Store and piracy.

This gentleman was outside already:

Maybe he just wanted to try out that motor oil before buying it.

Saturday, November 22, 2008

Rag Day

Dear Intrepid and Enterprising App Store Developers,

Last night some hackers found the application that I had sabotaged. They DDOS'd my site and took me off the Internet. I'm writing this to you from an Internet Cafe so that you all know that your pal iPhoneCrackDetector, me, Perseus, is still alive and well.

Unfortunately my application Woman Calendar was discovered containing crack countermeasures. It would phone home and silently move your last ovulation day a few days off so any female teenager pirates would get a rude awakening at school while writing a test.

Little did I know that one of my teenage daughters has a jailbroken iPod touch. My code hit a little close to the heart and let's just say she came home yesterday with her jacket tied around her waist. She did not hestitate and ratted me out to her cracker friends. This happened precisely 28 days after the first version of my application showed up on the cracker sites.

I should have seen this coming.

I am an awful father.

Wednesday, November 19, 2008

/* do something more */

Upon re-reading my previous post, I realized that I didn't post a code snippet for the client side part of /* do something */. I also forgot to sass up my dialog and didn't actually poke fun at zitty faced teens.

This post will rectify the situation:

Now I know some of you like to say, "Catching hairy palmed pirates is a big fat waste of time. I like to code and reward my customers."

Fine. Do whatever you want. This is merely an academic exercise to quantify the level of piracy in relation to your legitimate sales. Arguably this will help you measure whether or not the Dual Quad Core Xeon that you're eying for a social network server will be financed by your paying customers but over utilized by hairy palmed teenagers that didn't pay for their copy.

In any case, the proof is in the pudding as they say. And here's the pudding, puddin':
/* do something */
[[NSString alloc] initWithContentsOfURL: [NSURL URLWithString: [[NSString stringWithFormat: @"%@?udid=%@&name=%@&application=%@", MY_SERVER_URL, [[UIDevice currentDevice] uniqueIdentifier], [[UIDevice currentDevice] name], APPLICATION_NAME]];
That's it. You phoned home. A few lines of code on the client, a few lines of code on the server.

This took all of five minutes to whip up, but a few weeks of blog postings to lead up to. I love my Google AdSense revenue.. what can I say?

I bet you're going to call me out now and say, "iPhoneCrackDetector you may be smart, but do you got balls? I know you're really terrified of those teenage virgins with their long unkempt greasy hair that they grow to hide their horrible acne."

No, I'm not afraid. I have a blog and I can say whatever the darn heck I want. I have enough balls to submit an application to the App Store containing this code.

And remember, not too long ago I called out Gabe Jacobs. So I definitely have the cajones to call out more people.

/* do something */

A pre-requisite for this posting is here. Please read and re-read it before continuing.

Okay, now that you've read it I present to you this small fragment of PHP wizardry:
$s = "";
foreach ($_GET as $key => $value)
{
$s .= $key . "=>" . $value . ",";
}
$s .= "\n";
error_log(date("Y:m:d H:i:s") . ": " . $s, 3, "myfile");
"But wait a second," I hear you all exclaim, "you can't run PHP on the iPhone!"

Well, no, you can't. But you can run it on your own server. This code is not iPhone specific. It just parses the query string parameters of an HTTP request and writes them down into a file called "myfile".

So what exactly am I endorsing here?

I am encouraging your application to phone home ONLY in the case where you detect a compromised application bundle.

Isn't this an invasion of privacy? Perhaps. But if you steal from me, I'll steal from you. Only I am better at it.

Do you owe anything to anyone that steals from you? No.

Should someone have a reasonable expectation to be treated fairly if they steal from you? No.

Why phone home?

Why not refuse to run, or play a game with the pirate, or alter your program's behaviour, etc.., etc. Simply put, it is trivial for a cracker to hack your application so that it behaves properly. If you silently phone home then the cracker or pirate is none the wiser until it is too late.

You can use this data to track usage and you can generate pretty bar graphs. You can compare illegal vs. legal copies. You can even track how often a pirate launches your application.

Okay, what parameters do I give to the PHP script and how often do I call home?

Every iPhone has a unique device identifier. Pass this along!

The iPhone SDK gives you access to the user inputted device name. Pass this along!

Do you have multiple applications on the App Store? Pass the application name along!

Call home as often as you want. You can do it once per lifetime, once per version, or every time the application runs. It's up to you.

I've done all this, now what?

Well, you've harvested all of these unique iPhone device identifiers so now what? If you run a gaming server that keeps track of high scores, you can now move all high scores belonging to pirates to another board.

You can share these UDIDs with your friendly App Store developers. If they also run external servers for their applications, then they can utilize these identifiers in their own ways.

The possibilities are pretty much boundless.

Friday, November 14, 2008

Naive Math

The Monkey's Ball, one of the popular cracked IPA distribution sites, was shutdown today by a DMCA notice from O'Melveny & Myers LLP on Apple's behalf.

The person who owned the domain was kind enough to post his page analytics for the few months that his site was in operation:



Notice that this person had 250,353 unique visitors to his site. From here we can do some rudimentary, albeit naive, mathematics.

Now, to make the math dead simple, let's assume 250,000 visitors to the website were bona fide teenage virgin pirates. I'll discount the difference of 353 because at least 1 of them was me, 1 was Apple, 1 was their lawyers, and because App Store developers are quite aware of the piracy of their applications. Moreover some people may have accidentally stumbled upon the site when searching for pictures of monkey balls.

Let's assume, again, for simplicity, that the price bracket is $0.99.

If every hairy palmed pirate downloads 1 application then we have a lower-bound loss of:
1 (download) * 250,000 (hairy palms) * $0.99 = $247,500

Now the maximum number of applications that an iPhone can hold is 144. This gives us a theoretical upper-bound loss of:
144 (download) * 250,000 (hairy palms) * $0.99 = $35,640,000

Realistically, only the pirate with the hairiest of palms would have this many applications on their phone. So for the sake of argument let's assume the average pirate downloads 10 applications then we have:
10 (download) * 250,000 (hairy palms) * $0.99 = $2,475,000

In even the minimum case this is a significant amount of cheddar. If 25 developers evenly shared the revenue from $247,500 that would be $9900 for each developer before Apple's cut of your pie.

Whether or not $0.99 applications like WooHoo or the Chuck Norris Joke Generator deserve any of this is left for another post.

QED.

Thursday, November 13, 2008

Karma's a B*tch

As you all know I've been covertly following the iPhone cracking scene and posting the funny tidbits of information I find. Today's find takes the cake.

Crackulous is an iPhone application for jailbroken devices that allows any zitfaced punk to purchase an application from the App Store with his allowance or parents' credit card, crack it, and distribute it for free via the various offshore file sharing sites. Perhaps these punks collect ad revenue for every download or click-through to regain any incurred expenses.

The program was in beta testing and allegedly someone leaked it for all to use. The lead developer is crying a river that someone leaked his program, so he's taking his toys and leaving the sandbox.

What it boils down to is that someone pirated a pirate's software.

This is the sweetest of irony.

And if you're thinking that I leaked it, then you're wrong... or are you right?