AppStore Piracy Prevention

Guides | Reviews | Thoughts By 6 years ago

As a developer it’s extremely frustrating when you’ve worked on an app for months upon months and after release on the app store as a paid app, you find it cracked and free for anybody that doesn’t want to pay. I made this mistake on the first application I released on the app store, a week or so after release I found version 1.0 scattered all over the web.

It would have been best to implement piracy checks from the beginning, but this had to be part of the 1.1+ update. Since 1.0 I have released versions 1.1 and 1.2, and have only seen version 1.1 ‘cracked’ and uploaded to websites, but I have tested this out myself, and my piracy checks do exactly what they are supposed to do, crash the app rendering it useless.

Before any details on protecting your apps, I will explain how the piracy system works for iOS apps.

Each application is code-signed with a certificate, which can be verified by the iOS to make sure that the current device has sufficient privileges to install/run your application. During development the certificates last ~12 months (you can even wind your clock back after the certificate has expired in order to launch the app again) and for a lifetime when you get it from the app store. When you submit your application to the app store, Apple resigns your app with their own certificate.

Of course, on a jailbroken phone, these certificate checks can be disabled, or your app can be resigned with a bogus certificate for distribution on the web or services like Crackulous.

Usually when people take a version of your app and crack it for illegal distribution they will use a tool that will do the exact same thing on each app it is used on, designed to work on all apps that don’t do any piracy checks, which is most of the apps out there. Even if you put in a basic piracy check, chances are the person using this tool has no real cracking talent and wont be able to do anything about it. It’s never impossible to protect anything 100% in the IT world, if somebody wants your app cracked that badly they can modify your app’s binary to bypass the security checks, but the more difficult you make it will discourage the cracker.

There’s a great tool from Cocoanetics I purchased called AntiCrack, which has a one time purchase fee. You may think I’m writing this blog just to sell you something, but if you’re serious about selling your app it will pay itself off in 15 downloads or so (or you could try and implement the techniques below yourself).

Check if your program is being debugged:
When building for release/distribution mode, the first thing your main function should do is check whether the app is being debugged. If so, crash/exit the app. A debugger will make a cracker’s job 10x easier, so don’t give them the opportunity. There’s a method Apple provides for this (AmIBeingDebugged())

Check the signed certificate:
Have your app look at the certificate is has been bundled with, if it’s not valid then crash/exit the app.

If your app connects to the web I highly recommend you obfuscate the urls it connects to (or any other vital strings your app uses). Your original strings wont be in the binary, and will be decoded at runtime. If the cracker manages to bypass the crash/exit you have implemented, they will still need to figure out your cipher algorithm to get the original strings back. If your app is web focused and the urls can’t be decoded, your app wont have much functionality 🙂

Inline methods and defines:
Implement the above methods using inline methods or defines. Using a standard function means at runtime the code within that function only exists in one place, when it’s needed to run the program will jump to that code and then jump back to where the function was called from then continue. Your cracker can find out where this one place is and remove any jumps to it, or make it jump back before any real checks are performed. Using inline methods and defines means your checks will be scattered throughout the program, everytime the method/define was used, meaning the cracker will need to remove each instance of your piracy checks.