A warning to all developers (specifically iOS)

Hey guys I would just like to warn you guys about a member on on toucharcade (and probably lots of other places) who takes promo codes for your apps - then cracks them and releases them to pirate web sites!
The member is
brveloso
We gave away 20 promo codes through twitter and He got one.
This is his twitter @BR_veloso
His face book
Security Check Required | Facebook

This guy is so despicable that he won't even buy one copy before he cracks it and spreads it on the internet!

So just a warning to all - don't give this guy any promo codes!

 

I have a list of "untrusted toucharcade users" that i will publish soon.
If you don't want leaks of your game before even released to the store, contract QA studios (there's a bunch for the iPhone) or trusted people that you really know. ^^

 

Yuck. 1 pirated copy != 1 lost sale, but 100 pirates copies doubtless means some lost sales.

I'm curious, did you make use of any copy protection scheme, for example the basic Unity scheme of checking the iPhoneUtils::isApplicationGenuine() boolean (better than nothing), or verifying the cryptographic hash of your application binary yourself (hopefully would defeat automated tools)?

I'm thinking I would rather make my apps immune to automated hacking tools, than to make a list of all the people who run automated cracking tools, which could be a rather large list.

 

btw, iPhoneUtils::isApplicationGenuine() its a joke, it can be bypassed quite easy.

 

The genuine check is indeed worthless basically though you can use it for meaningfull purposes like detecting cracked versions to get figures etc as it is a standard crack

Any protection can be bypassed easily though in general (I don't know any that can't be broken and the more secure ones require smart devs to utilize them correctly to not expose the security obviously), it just is much easier to do it faster if the devs that use such systems are stupid enough to put the check right in start areas and immediately disable stuff if it fails.
Thats among the most stupid things you can do, no cracker, independent of how noobish, could miss such an unprotection, even tools will easily detect it.

If you do something that stupid or have the nerv to call such a programming style on the protection "correct", you shouldn't waste time on protection anyway as you won't get any that works if you fail that misserably as user of the protection systems

 

The majority of criminals have little technical knowledge. Someone writes a simple program called Low Orbit Ion Cannon in C#. Years later, thousands of 'Anonymous' malcontents use it by typing in an IP address and clicking "Lock on!" (or less). Most burglars rely on unlocked doors and brute force, not the finesse seen in movies.

I don't see why spending 30 minutes on writing a routine that checks the cryptographic hash of your game before the boss encounter of each level would be stupid. Combining this with your first statement, (a) are you saying automatic cracking tools can detect and a custom-made crypto hash check and therefore a difference mechanism is to be recommended, or (b) it's your belief that most criminals who use automated software to crack $1-$2 games are geniuses :rolls eyes: and can do it manually if needed?

Defeat the 99% who are 'script kiddies' and for a low-run game you may not be cracked at all, and for a high-run game you may have bought yourself a few days of pirate-free sales. The alternative to a client integrity check is a server integrity check, stronger but annoying for paying clients. Intuitively, either approach should be more effective than personally maintaining a do-not-sell-list containing all the crackers of the world.

If there's a client integrity check mechanism better than a cryptographic hash I would be interested in hearing it. My current App's weeks away from a release and I would like to learn from VPrime's experience.

 

Using protection isn't stupid.

But if you utilize it like this, its actually stupid. Someone doing protection this way has an even lower knowledge level than a script kiddo that uses a one button click crack, but at 100 times the effort.

You can't just use protection bruteforce etc, it will become trivial to crack it if you put the whole stuff "open onto the plate" for the cracker to find and remove, which is what startup - loading locks / disables right from the start actually are doing.

 

dreamora, then enlighten me. What cracking program in common use for iPhone Apps would auto-remove this?

(Or are you now saying only doing this as startup is foolish and "can be bypassed easily")

30min x 60sec/min / 100 = 18sec. In 18 seconds flat, no less.

 

I found a list of anti-piracy techniques that the leading iPhone cracking program can't auto-defeat:

It seems my crypto hash of the binary idea is one of them. The one warning they add is to ensure it's not the only file open (to help protect against the rare programmer-cracker).

I still disagree with your premise. No security is unbreakable, however it can be difficult to defeat.

 

A thought:

1. For iOS apps, release a free version of the app.
2. Make the full version an in-app purchase.
3. The in-app purchase triggers the download of a key. As the player must already be online for the in-app purchase, this is unlikely to piss anyone off. The process can also be labelled for what it is: "Downloading additional content."

This downloaded key is used to decrypt some, but not all, game data for the full game, (e.g. some levels, some NPC behaviour scripts, etc.) This encrypted full game data is encoded using a private key, with the downloaded key used as the public key.

4. Design your app to use the decrypted data. If the decryption results in gibberish, it means your app was pirated. You can either inform the player of the detection, or be devious about it and ensure the game provides a reduced quality experience.

My own preference would be for my app to behave in such a way that it triggers occasional support requests or reviews that are likely to include specific keywords. I can then make regular searches for such keywords and thank these idiots personally for providing me with direct evidence of their untrustworthy ways.

In public forums.

Unlike Google, I'm more than happy to be evil. I get to overact and practice my mad laughter. (Which reminds me: muahahahaaa! There, that's one more item crossed off my daily to-do list.)

 

I should potentially have been more precise: If you do checks over the lifetime and that every single time, from minute 0 of usage on, the cracker will see all "check fails" on his first go and can find all of them before uploading the binary.

But if you do it more tricky like stuff thats not detectable as copy protection (See Batmans copy protection where your cape just fails to fly far enough if cracked which is not even remotely obvious) you get a much better yield and chances that it will ever be uncovered as protection goes towards 0, same goes for checks that don't impact anything until fail 10 or after 3 days of usage etc.

For example a boss could heal himself on a cracked one, more or harder enemies are around, less weapon powerups, no extra life drops and so on, stuff that prevents them from finishing the game.


Also a more and more common way to fight it is the obvious iOS way: Free application - in app store kit - advertisement (and with iAd starting in many more countries at the time, through iAd primarily, admob secondary), cause the inapp store kit can't be faked reasonably

 

That sounds clever, but unwise. Folks using the cracked version may post negative feedback believing they're playing the real deal, and that could in turn hurt your game's sales. Some games are posting 50% piracy rates, which is quite scary, and means pirates can affect reviews and ratings.

If you generate a unique public/private keypair per user, that's more secure than a client integrity check, albeit at higher cost. I may opt for something simpler, but that sounds very workable.

Sounds fun.

 

D*mn it Dreamora, get off the fence man and tell us what you really feel

All computer based security measures can be defeated, with the right amount of skill and effort put to the task. The troubling thing with the OPs message is you aren't dealing (necessarily) with a script kiddie... someone who can do it, is using your attempt at good will to get a free copy, then cracking your game so the script kiddies don't need to....

while I don't personally put too much emphasis on pirating prevention into my games thus far (which might change... this practice being discussed really boils my biscuits....) Here are some things to look into:

1) Pirated games require unlocked devices, use this as a sign your game is compromised (some legit customers may have unlocked devices, so don't rely on this entirely)

2) don't assume the player is a pirate, or even understands the game is stolen (the actual pirate may not even play your game... hackers in general live for the hunt/kill not the actual prize)

3) encryption of plain text, or other game data can be your friend (I recommend Blowfish if you can manage it, it's a little slower than AES, but then again, it's never been cracked)

4) As Dreamora mentioned, don't put security measures in one neat little class... in this instance duplication is your friend

5) Sign your security code (at least), and use pervasive runtime checking.

6) check for everything that you can.

7) online is your friend, think about using a one way hash based on the device ID to isolate a given game to a single device (again this one's tricky... player's may have multiple devices, but they shouldn't be copying the exact same instance of the game to each one), once you have the hash, return a UUID for the game to use (think of it as a game key, once stored the game won't run without the pair - one generated, one handed out by you). If your server ever recieves a miss matched hash and UUID... say goodnight gracy

8) incent palyers to register Nothing like a periodic prize/contest/whatever to get people to tell you who they are, prove their app is genuine, and catch the miserable *^^%#!!s with their hands in your cookie jar, coming back for the milk

Use your head when it comes to what you do if you know it's cracked, if you go too far and it turns out to be a real customer that gets the brunt of your wrath Apple will put your iOS publishing dreams to an end. (remember to account for the Apple testers... who's devices may not conform to normal iOS expected environments).

Cheers,

Galen

 

How would you go about doing this? Using WWW to post data that it was indeed a crack version being used? Wouldn't the cracker just disable such a thing?

 

I think that even if I tried to track piracy rate, it'd just make me sad.

http://www.learn-cocos2d.com/tag/piracy-rates/

I think this article has some logic behind it. Basically, high piracy percentage just means you aren't selling much. I'd be open to counter-evidence, though.

 

I'm really surprised to see that today, December 2010, most comments about fighting piracy are positively interested in such an action, while yesterday, January 2010, majority was strongly voicing against caring about it, or even denying that piracy rates could be higher than 1~5%.
Did I step in too early ?
What's even more interesting is to see that this tendancy is witnessed on other gaming sites, like Toucharcade or Kotaku. People's overall conscience about it seems to have evolved this year.

Anyway, I'm happy to see some devs finally open to accept that numbers could finally be higher that what we expected, that it IS lost sales to a certain degree, and that actions have to be taken against it on the dev's side.

There are some great technical infos about how to jam low hackers in this thread so far.

edit : this picture from JTown's link is awesome, I'd stick it on my desk if I could

 

I personally don't care that the game was pirated. I expected it to happen eventually. And really there are only about 3 or 5 people playing the pirated copy (game center players vs sales).
What I have an issue with is with pirates like the one I pointed out. Ones who just get developers to hand over their programs freely to them.
This guy (and many others on touch arcade) just get unsuspecting developers to hand their apps over so they can rip it off.. This is a different kind of scum IMO.
It used to be that cracking/ripping groups would buy the games then share.. Even when sharing TELL the people to buy it if they like it.

 

You cant think of pirates as customers, they are not customers. It might be better to simply forget it and spend your time improving your game (to sell more units to actual customers) then it would be to try and stop the pirates from stealing. If there are any "pirate-customers" (that is people who try before they buy -- which I dont believe there are as many as people say), it would increase the likelihood they would buy your game.

 

It's naive to believe that 100% of criminals who stole your game would've bought it anyway, but it's also naive to believe that none of criminals who stole your game would've bought it if the piracy option did not exist.

We agree then, 0% < CriminalConversionRate < 100%. We could argue whether it's 1% or 5% or 10%, but intuitively for a long-term, multi-person project, anti-piracy protection must be worth a few hours.

This group of pirate-customers is larger than "people who try before they buy". Another group is "people who get it for free if they can." A college student I know rented the first Twilight movie, but downloaded the second for free when a friend told her she could. Proof this group actually exists and has more than one member.

Of course, we both knew that already.

 

n0mad, I like the chart, and intuitively it makes sense! There are some movies that are worth a theater ticket, others worth a DVD or BluRay rental, and some I'll only watch if I can see them for free.

 

I have always held the position that pirates really weren't customers anyway... and those that troll for warez sites are always going to be the "questionable" lost market. What changes here for me, and I believe I'm in line with VPrime here, is this type of "oh please let me have a game code", then using the free copy to open the doors for anyone so inclined to get the game free. That download code is really a loss leader to help generate some intial good will and (ideally) some positive feedback from real potential customers.

I agree lower sales make pirating more painful... but low or high, this practice errodes trust. The game industry has long treated customers as criminals first, and this kind of practice has the tendency to validate that mentality (a whole new crop of game devs, studios, and publishers get to "re-learn" not to give customers the benefit of the doubt.

I can't speak for others, but this type of practice has me sliding back into a defensive mode.

Just my thoughts,

Galen

 

If the game was free with the first set of levels (effectively acting as a free trial) but had an in-app purchase to download/unlock additional content (i.e. more levels) would this make piracy more difficult?

It would at least allow people to "try-before-you-buy" without needing to have separate paid and free apps, removing one of the justifications for piracy...

Would this approach also help a Unity game stay under the 20Mb 3G limit?...