Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
Developer
Posts: 128
Registered: ‎05-06-2010
My Device: storm 2

Pirates

[ Edited ]

Hi all

 

I just released a new game a few days ago - and ALREADY it has appeared on the pirate site

 

Fortunately it's protected by a serial but I doubt it'll take them long to crack it.

 

How are these guys getting the stuff from mobihand without paying for it?

 

Best wishes

Gareth

 

Moderator Edit:  Removed link for security reasons

Developer
Posts: 19,636
Registered: ‎07-14-2008
My Device: Not Specified

Re: Pirates

[ Edited ]

Once someone has it on their device, they can use Javaloader to download the cods from the device.  Would that explain it? 

 

A word of warning.  That web site has some serious hacking/infecting code running on it.  Don't go there without all your shields up!  Even then. I would only go using a PC you can afford to disinfect. 

Highlighted
Developer
Posts: 1,807
Registered: ‎04-28-2009
My Device: Z10 (STL100-4)-10.3.2.858, Z10 (STL100-3)-10.3.1.2576, Z30 (STA100-5)-10.3.1.2582, Passport (SQW100-1)-10.3.1.2576, PlayBook (16GB)-2.1.0.1917
My Carrier: Verizon

Re: Pirates

Or use a virtual machine.
---Spends time in #blackberrydev on freenode (IRC)----
Three simple rules:
1. Please use the search bar before making new posts.
2. "Like" posts that you find helpful.
3. If a solution has been found for your post, mark it as solved.
--I code too much. Well, too bad.
Developer
Posts: 382
Registered: ‎05-19-2008
My Device: BlackBerry Torch
My Carrier: AT&T

Re: Pirates

Pirate groups often use an 'inside man' to supply the files. you might be able to establish a pattern by releasing an app to various distribution channels are various times and monitoring when one of appears on the pirate sites. Or, better yet, watermark your apps (in some way) for each channel so when one turns up you can be certain of the source. It may be a user and not an 'inside man' but at least you can decide whether to skip certain channels.

Failing that, you could revoke your code signing keys and kill the app for all users, but that is a very drastic thing indeed.

Bill
-------------------------------------------
Check out my book on BlackBerry Development for Java.
And my other really really old book
My Apps: FlashKids
Developer
Posts: 709
Registered: ‎09-10-2009
My Device: 8520, 8900, 9000, 9300, 9650, 9700, 9780, 9800, 9810, 9900, 9930
My Carrier: Verizon

Re: Pirates

Is your serial locked to the device?

Developer
Posts: 1,632
Registered: ‎07-14-2008
My Device: Z10
My Carrier: Fido

Re: Pirates

I got all my apps on the pirate site.  they even have an windows code generator app.  you just put in your pin and out comes all the activation codes.  the problem is that i use RPN code and not dynamic code.

 

the only way to protect your app is have your app validate itself with your server.  If the app is not paid dont let it run.  the only thing keeps pirates from modifying the app are the sign keys.  If they change on byte the bbOS security will catch it.

 

Trusted Contributor
Posts: 224
Registered: ‎08-11-2010
My Device: Not Specified

Re: Pirates

> the only thing keeps pirates from modifying the app are the sign keys.

 

Actually anybody can purchase signing keys for a small fee and re-sign the application, so this is not a real problem.

 

Regarding the initial question - we do use strong crypto:

* license key is generated based on device PIN number and signed by the server with our private key

* app downloads the license from server and verifies it using the public key

 

This way it is not possible for third party to generate valid license - unless they somehow get our private key. Of course settuping the whole infrastructure is not a simple task ...

 

 

There are some third party solutions, which may help you to reduce the piracy rate - for example http://licmax.com/

Developer
Posts: 128
Registered: ‎05-06-2010
My Device: storm 2

Re: Pirates

[ Edited ]

We use strong crypto too for our serials; however, watch their cracking tutorial.  They run the app through the debugger, your app generates the right code (to check it) and they just  steal it out of memory.

 

Even without this, they can just change the conditional instruction to accept invalid codes.

 

It seems to me that the best way to make their lives harder is:

 

1) Use a mechanism that means you dont have to generate the correct code to verify their code is correct. Some sort of half way house, half reverse the code typed in and half convert their pin to the code and compare the intermediate value. (and use a non-trivial calculation - perhaps based on a crypto/hashing algo. RPN isnt safe)

 

2) Check the serial in lots of places in your code

 

3) Obfuscate your code as much as possible.

Developer
Posts: 128
Registered: ‎05-06-2010
My Device: storm 2

Re: Pirates

PS - I hasten to our add - a key gen or even serials for our apps haven't yet appeared on the site.  Just the binaries from mobihand.

 

We use a strong crypto approach to generate 5 letter serial.

Trusted Contributor
Posts: 224
Registered: ‎08-11-2010
My Device: Not Specified

Re: Pirates

> They run the app through the debugger, your app generates the right code


In our scenario, app does not generate anything, it only checks if license was signed with correct private key.

It is not possible to generate valid license without the private key (you need to steal it from our servers)

> Even without this, they can just change the conditional instruction to accept invalid codes.

While this is theoretically possible, I have not yet seen this done on any BlackBerry app (.cod files format is tricky ...)

> 1) Use a mechanism that means you dont have to generate the correct code to verify their code is correct.
> Some sort of half way house, half reverse the code typed in and half convert their pin to the code and
> compare the intermediate value. (and use a non-trivial calculation - perhaps based on a crypto/hashing algo. RPN isnt safe)

That is what private/public key crypto is about.