Difference between revisions of "Copy Protection Overview"

From The iPhone Wiki
Jump to: navigation, search
Line 5: Line 5:
   
 
Fighting one particular automated process for removing copy protection is easy [http://thwart-ipa-cracks.blogspot.com/2008/11/detection.html], but curving iPhone application cracking is difficult, because of the many undocumented moving pieces (Apple's signatures, protection mechanism, application approval process, and iTunes distribution). Learning all this is a lot of work, which is currently duplicated by all independent developers who don't want to pay RIPdev. If developers pool their knowledge into the iPhone Wiki, the learning effort will not be duplicated anymore, and applications will have higher overall quality. Ideally, developers will produce an open-source obfuscation mechanism that is trivial to apply to applications, but takes a non-trivial amount of time to reverse.
 
Fighting one particular automated process for removing copy protection is easy [http://thwart-ipa-cracks.blogspot.com/2008/11/detection.html], but curving iPhone application cracking is difficult, because of the many undocumented moving pieces (Apple's signatures, protection mechanism, application approval process, and iTunes distribution). Learning all this is a lot of work, which is currently duplicated by all independent developers who don't want to pay RIPdev. If developers pool their knowledge into the iPhone Wiki, the learning effort will not be duplicated anymore, and applications will have higher overall quality. Ideally, developers will produce an open-source obfuscation mechanism that is trivial to apply to applications, but takes a non-trivial amount of time to reverse.
  +
  +
== Copy Protection Removal Overview ==
  +
Developers that want to guard against copy protection removal must understand how it works. [http://www.ipodandiphone.com/2008/08/start-to-finish-iphone-app-crack-release/] documents the process in a tutorial fashion. A summary follows.
  +
  +
The only encrypted part in an iPhone application is the executable file. The cracking process starts the victim application, then uses a debugger to suspend it. The application's executable code lies unprotected in RAM, and the debugger dumps it on disk. Then, the encrypted part of the executable file is replaced with the unencrypted code dumped from memory.
  +
  +
The application's Info.plist is modified so that the jailbroken iPhone kernel does not check the application's signature, which is invalidated by the modification of the executable file. A more rigurous cracking process could remove Apple's signatures and certificates, and replace them with a self-signed certificate, as is done when developing with the jailbroken toolchain.
  +
  +
== Defeating Copy Protection Removal ==
  +
RIPdev's blog post on Kali Anti-Piracy [http://ripdev.org/2009/02/how-kali-ap-works.html] suggests the following methods to counter copy protection removal.
  +
  +
* preventing debuggers from attaching to the application
  +
* loading the executable code in stages, such that it's never completely present in RAM, unprotected
  +
* integrity checks throughout the application
  +
  +
== Integrity Checking Methods ==
  +
An increasing trend among application developers is to use inexpensive integrity checks, and revert into a trial mode or shut down the application, some time after the integrity checks fail. An essential step is making sure the application does not act too soon, so that "crackers" do not notice the integrity checking process, and release the application as cracked immediately after removing the FairPlay encryption.
  +
  +
[http://thwart-ipa-cracks.blogspot.com/2008/11/detection.html] suggests examining the Info.plist file, and checking for the existence of the SignerIdentity key that is added in the cracking process, and would not exist on any applications originating from the App Store. [http://landonf.bikemonkey.org/code/iphone/iPhone_Preventing_Piracy.20090213.html] suggests reading the executable file, and checking for the Mach-O directives for an encrypted section, as FairPlay introduces an encrypted section which is removed by cracked applications.
  +
  +
These methods are cheap to implement. They are also easy to break, once the cracker is aware of them. This explains the need for introducing a delay between the crack detection and the delivery of the punishment, which can be as mild as popping a dialog box appealing to the user to purchase the application [http://benchatelain.com/2009/03/07/cracked-copies-of-full-screen-web-browser-function-as-demos/].

Revision as of 03:34, 11 May 2009

Landscape and Motivation

Applications downloaded from the iTunes App Store are protected by FairPlay DRM. The FairPlay copy protection has been cracked some time ago [1]. What's worse, the copy removal method has been automated by the infamous Crackulous application [2]. The silver lining is that removing the copy protection from applicatins invalidates Apple's signature, so these applications cannot be run on phones without the jailbreak.

iPhone application piracy is significant [3][4][5], so relying on Apple's protection scheme is not a solution for most developers. RIPdev offers a protection scheme that they claim has not been broken so far, but they charge both a setup fee and royalties on an application's sales [6].

Fighting one particular automated process for removing copy protection is easy [7], but curving iPhone application cracking is difficult, because of the many undocumented moving pieces (Apple's signatures, protection mechanism, application approval process, and iTunes distribution). Learning all this is a lot of work, which is currently duplicated by all independent developers who don't want to pay RIPdev. If developers pool their knowledge into the iPhone Wiki, the learning effort will not be duplicated anymore, and applications will have higher overall quality. Ideally, developers will produce an open-source obfuscation mechanism that is trivial to apply to applications, but takes a non-trivial amount of time to reverse.

Copy Protection Removal Overview

Developers that want to guard against copy protection removal must understand how it works. [8] documents the process in a tutorial fashion. A summary follows.

The only encrypted part in an iPhone application is the executable file. The cracking process starts the victim application, then uses a debugger to suspend it. The application's executable code lies unprotected in RAM, and the debugger dumps it on disk. Then, the encrypted part of the executable file is replaced with the unencrypted code dumped from memory.

The application's Info.plist is modified so that the jailbroken iPhone kernel does not check the application's signature, which is invalidated by the modification of the executable file. A more rigurous cracking process could remove Apple's signatures and certificates, and replace them with a self-signed certificate, as is done when developing with the jailbroken toolchain.

Defeating Copy Protection Removal

RIPdev's blog post on Kali Anti-Piracy [9] suggests the following methods to counter copy protection removal.

  • preventing debuggers from attaching to the application
  • loading the executable code in stages, such that it's never completely present in RAM, unprotected
  • integrity checks throughout the application

Integrity Checking Methods

An increasing trend among application developers is to use inexpensive integrity checks, and revert into a trial mode or shut down the application, some time after the integrity checks fail. An essential step is making sure the application does not act too soon, so that "crackers" do not notice the integrity checking process, and release the application as cracked immediately after removing the FairPlay encryption.

[10] suggests examining the Info.plist file, and checking for the existence of the SignerIdentity key that is added in the cracking process, and would not exist on any applications originating from the App Store. [11] suggests reading the executable file, and checking for the Mach-O directives for an encrypted section, as FairPlay introduces an encrypted section which is removed by cracked applications.

These methods are cheap to implement. They are also easy to break, once the cracker is aware of them. This explains the need for introducing a delay between the crack detection and the delivery of the punishment, which can be as mild as popping a dialog box appealing to the user to purchase the application [12].