22 Comments
Yesterday the news fell that Apple was finally allowing free iPhone apps to include in-app purchases. Until then, developers who wanted to offer a free trial of their applications had to create 2 versions: a full-featured paid version, and a “lite” stripped-down version with very basic features.
The news was very well welcome, especially by developers who see in this new system a chance to reduce application piracy. Two articles got my attention yesterday as they were insinuating that in-app purchase for free apps was the end of piracy.
From MobileCrunch:
Here’s the trick: while you can crack an iPhone application and throw it up for all to download in a matter of seconds, you can’t fake an In-App purchase receipt. A pretty notable chunk of the In-App purchase process is actually handled on the developer’s server, in addition to Apple’s – so unlike the initial purchase (which devs actually get to know very, very little about), developers know pretty damn well exactly which iPhones should be running which In-App Purchase. Developers have a specific receipt for each in-app purchase, which resides on their server. Faking this would be like tricking Amazon into shipping you a TV that you didn’t pay for.
From TUAW:
“Will this help in anti-piracy measures?” Definitely. StoreKit allows developers to validate receipts, ensuring that unlock codes are only sent to paying customers. Add a hash-check algorithm for the current device and developers have better control over who gets to use their applications.
I am not much of a technical person (“StoreKit” and “hash-check algorithm” sound like Chinese to me) but I really doubt that in-app purchase is the end of piracy. If anything, it’s going to start a new era of iPhone app piracy.
To crack an application, you first have to download it. So let’s say I’m a cracker, I download the app, I pay for the in-app purchase that “unlocks” the full-featured app. Now that I have everything, I just need to crack the application and make it available to the general public.
Nothing changes. Maybe the way I crack the application changes. Maybe I have to bypass a few new protections like the StoreKit thing, but in the end, if I have the full application to work on, there will always be a way to trick the app into thinking it is legit.
So to me, in-app purchase will not kill iPhone apps piracy. At best, it will slow it down and instead of getting the cracked version of XYZgame in 2 hours after the release, I’ll get it in 3 hours. At the end of the day, you still get your cracked app.
As I said above, I’m not technical at all and I might be missing something here. I’m interested in hearing what you have to say about it. Do you think in-app purchase will put an end to iPhone app piracy? Why? How? Leave a comment to share your views.
Even if you had to be connected to the internet to validate your app every time you ran it, it would still be crackable by an experienced hacker, who could simply remove the parts of the program that check if it was purchased or not. Just the same as they do with copy protection algorithms found on PC games.
It’s definitely not the end of iphone apps piracy, this will only make it a little bit trickier, that’s all.
I think in-app purchase _will_ make life a lot harder for pirates. Because now, you can generate an unlock code specific to the device that actually bought the item. So, what a cracker will get when he purchases the in-app article, is a code that has been generated by my server for this single device. He can’t just move this unlock code onto another device and hope it will still work there. He would have to either write a keygen (very hard if some encryption is added to the unlock code generation) or explicitly hack the app to disable the check for the unlock code, e.g. by disassembling and patching it. This at least involves getting very close to the metal which always needs some effort to be put into.
Of course it’ll still be possible but I doubt it will be easy enough for any to enjoy.
The hackers needed like forever to hack iPhone OS 3.1 and they didn’t even manage to unlock it.
I have paid for all my apps (although I “try them out” in advance) but I can’t even use my latest purchase because it asks for OS 3.1 which I can’t use because I need to unlock the phone.
Together with the epic appuloha1l fail I think people are losing their nerves with the whole jailbreak scene.
I know I’ll sell my iPhone 3Gs 32GB soon and get one from Hong Kong instead. As I see it, more people are considering the same.
It won’t stop piracy. But it will make it harder.
Right now, to crack an app, you just have to beat whatever protections Apple has done. So you only have to beat them once and it works for every iPhone app (and I believe there are simple tools out there to let anybody just crack an app with a click.)
With the in app-purchase, now every developer can do things slightly different. Each app has to be cracked individually. Still of course it’s possible…but much harder and more time consuming if the developers do different tricks.
If big giants like microsoft can stop piracy, yes remember each windows license is unique , and windows 7 is now jacked/patched, apple doesnot stand a chance , these hackers will laugh in there faces!
I agree with Adesh, apple doesn’t stand a chance, the hackers will find a way around it!
It will help deter it. It will not eliminate piracy completely. That’s just not possible.
@Adesh: Microsoft *has not* stopped piracy. I don’t know where you get that idea.
@Adesh: Oops. Looks like you have a type so I misunderstood your post.
I think customers are going to become very tired very fast with in-app purchases. I know for one, if I download an app, only to get prompted repeatedly for more money to access more functionality, I’m throwing that app out fast. I think developers that take the approach of releasing bare minimum apps, with additional functionality only available through in app purchase, are going to find people deserting their apps in droves. People want to buy something and know it’s theirs. They don’t want a subscription model. Those developers releasing fully functional apps will win out over the bare minimum/in app developers.
Hmmm, until now we had only one anti-piracy protection so crackers only had to apply the same method for all applications on the App Store.
Now, with potentially thousands of different anti-piracy protections will take much more time for crackers to crack an app. In a few steps:
1. an app is launched in the App Store;
2. the cracker buys the app;
3. it checks for a known anti-piracy protection;
4. if the protection can be broken he cracks the app.
I don’t know about piracy itself but it seems to me that piracy could be driving some sales for iPhone (even with the millions of purchases on the App Store) as I was seeing myself lately telling my friends how jailbreaking an iPhone could let it open like an Android mobile device.
Just to leave some additional thoughts on the subject.
Maybe one could disable in app purchases for every app in his/her iPhone just to avoid any checking.
We’ll see how this goes.
>>>”StoreKit” and “hash-check algorithm” sound like Chinese to me
Well Chinese is my native language (sort of). Just kidding.
How hackable it will be depends a lot on the app.
If in app purchase ‘unlocks’ a feature in the game then decompiling the app, finding that locking mechanism and bypassing that mechanism will be a viable approach.
If however your application is strongly server reliant. That is your purchase requires sending something to the server to accomplish something for you that will not run your device. It will be quite easy for the server to verify all of the audit related information for the purchase and can simply choose to ignore to complete the request for the app if it doesn’t have a valid purchase. No amount of modifying the app will force the server to complete the request.
And example might be poker game where your chips are stored on the server. If the in app purchase increases the number of chips you have, assuming this is all server side, a hacked version could request more chips, but if the server can’t verify the purchase it simply ignores it.
But clearly this is very app dependent.
In-App purchasing increases the complexity of cracking an application, because at present, cracking the app is probably the same process for each app – remove/alter the code-signing, so that any iPhone can run the app. In-App purchase means that in the first instance all the code and data is there, but having cracked the app so anyone can install it, you then need to discover what means and lengths the developer has gone to, in order to prevent the pirate from hacking the app.
Naturally I’ll not be discovering what means I will be using myself, but what Boro said is right; even if you have to validate all the time, this just makes it harder. That, like with the prevention of all crime, is all that can be done. Essentially the means to protect the application from running full out are provided with the application.
So, from my own perspective as a developer, I welcome in-app purchase, because it does mean that instead of a two-hour task a hacker has done a thousand times before, it becomes a 2hr+ task, but be assured it’s unlikely to be a 3hr task, so we might see more of a trend of app comes out, cracked app appears two weeks later, instead of app comes out, cracked app appears 2 hrs later.
What I find annoying, is that a person who has paid, probably £300 plus for a device, cannot be bothered to support the people who are trying to create content for the device, by parting with a measily £2.99 now and then.
Well, IMO the way things are going for the App Store (piracy), the app store will be left with only the crappy stupid games. Smart developers of quality games will have to move on the more secure pastures, and this could spell an abrupt doom for the app store…
already true… surviving HS app wont let you download new episodes that are free upgrades if the app is cracked!
Depends on the in-app purchase. If the in-app purchase is to enable a service, and that service needs to ping an online server (i.e. to retrieve dynamic contents,) then hacking this will be nearly impossible. Since each ping can verify the validity of your in-app purchase.
But if the in-app purchase is purely just a new functionality to the app, then it is possible to hack the application without ever pinging the server.
I’ve already found a way that I’m keeping to my self, it isn’t rocket science, I have a bunch of free houses in graal online thanks to my algorithm…. All I’ll say is that it’s VERY simple. It could’ve only been that game but I think it works.
Tyler can you please tell me?
Ultimately, this will be the end of most mainstream piracy. From now on, only experienced pirates will be able to crack apps (unless the developer is stupid and makes getting the content as easy as changing a number and blocking the app’s internet access with FirewallIP), and chances are, they’ll target popular, mainstream ones. Regardless, developers now have more control over app protection; if I wanted to, I could add different hash checks etc. to my app in really weird spots, and that would be a real pain for crackers.
Come on. People only get cracked apps because their poor and can’t afford it, like me, or they have no credit card, also like me. And a bunch of apps in the app store should be free anyway, like “Animal Photos”, that app is $99.99 and I got the crack from Installous. All it is is about 60 pictures of animals, and that’s it. Shoot, I need to get myself an Apple Developer account if you can do that! I mean, Apple, really? Really? Sure. Okay. And the best part is, THE PHOTOS WERE TAKEN DIRECTLY OFF OF GOOGLE IMAGES.
iAd adds another development in this fight against the freloaders who steal food off my table.
iAd won’t serve ads to cracked apps. Neither does in app purchase work on cracked apps. Before, with Google/AdMob I could at least make money on the people who steal my app if they click on the ads.
But if I can’t make money with either ads or in app purchase, I’ll probably just turn off server access within a few hours of detecting a jailbroken device.