05-10-2011 07:27 AM - last edited on 05-12-2011 12:01 AM by downsc
Fortunately it's protected by a serial but I doubt it'll take them long to crack it.
How are these guys getting the stuff from mobihand without paying for it?
Moderator Edit: Removed link for security reasons
05-10-2011 08:06 AM - edited 05-10-2011 10:05 AM
Once someone has it on their device, they can use Javaloader to download the cods from the device. Would that explain it?
A word of warning. That web site has some serious hacking/infecting code running on it. Don't go there without all your shields up! Even then. I would only go using a PC you can afford to disinfect.
05-11-2011 03:44 PM
05-11-2011 03:57 PM
Pirate groups often use an 'inside man' to supply the files. you might be able to establish a pattern by releasing an app to various distribution channels are various times and monitoring when one of appears on the pirate sites. Or, better yet, watermark your apps (in some way) for each channel so when one turns up you can be certain of the source. It may be a user and not an 'inside man' but at least you can decide whether to skip certain channels.
Failing that, you could revoke your code signing keys and kill the app for all users, but that is a very drastic thing indeed.
05-11-2011 11:13 PM
I got all my apps on the pirate site. they even have an windows code generator app. you just put in your pin and out comes all the activation codes. the problem is that i use RPN code and not dynamic code.
the only way to protect your app is have your app validate itself with your server. If the app is not paid dont let it run. the only thing keeps pirates from modifying the app are the sign keys. If they change on byte the bbOS security will catch it.
05-12-2011 02:31 AM
> the only thing keeps pirates from modifying the app are the sign keys.
Actually anybody can purchase signing keys for a small fee and re-sign the application, so this is not a real problem.
Regarding the initial question - we do use strong crypto:
* license key is generated based on device PIN number and signed by the server with our private key
* app downloads the license from server and verifies it using the public key
This way it is not possible for third party to generate valid license - unless they somehow get our private key. Of course settuping the whole infrastructure is not a simple task ...
There are some third party solutions, which may help you to reduce the piracy rate - for example http://licmax.com/
05-12-2011 04:34 AM - edited 05-12-2011 04:36 AM
We use strong crypto too for our serials; however, watch their cracking tutorial. They run the app through the debugger, your app generates the right code (to check it) and they just steal it out of memory.
Even without this, they can just change the conditional instruction to accept invalid codes.
It seems to me that the best way to make their lives harder is:
1) Use a mechanism that means you dont have to generate the correct code to verify their code is correct. Some sort of half way house, half reverse the code typed in and half convert their pin to the code and compare the intermediate value. (and use a non-trivial calculation - perhaps based on a crypto/hashing algo. RPN isnt safe)
2) Check the serial in lots of places in your code
3) Obfuscate your code as much as possible.
05-12-2011 04:40 AM
PS - I hasten to our add - a key gen or even serials for our apps haven't yet appeared on the site. Just the binaries from mobihand.
We use a strong crypto approach to generate 5 letter serial.
05-12-2011 04:40 AM
> They run the app through the debugger, your app generates the right code
In our scenario, app does not generate anything, it only checks if license was signed with correct private key.
It is not possible to generate valid license without the private key (you need to steal it from our servers)
> Even without this, they can just change the conditional instruction to accept invalid codes.
While this is theoretically possible, I have not yet seen this done on any BlackBerry app (.cod files format is tricky ...)
> 1) Use a mechanism that means you dont have to generate the correct code to verify their code is correct.
> Some sort of half way house, half reverse the code typed in and half convert their pin to the code and
> compare the intermediate value. (and use a non-trivial calculation - perhaps based on a crypto/hashing algo. RPN isnt safe)
That is what private/public key crypto is about.