iPhone Piracy 101: How it works

**This is a guest article by Will Strafach. Unlike you, this person got off his ass and earned some $$ writing about what he loves. He has accomplished something with his life, he has written for MrCracker.com . What have you done? Click Here to start.**

Developing iPhone applications is all the rage now. From the mutli-million dollar software company, to the teenager in his bedroom, it has become a new phenomenon. There are now over one billion application downloads from the Apple App Store, and even more in the unofficial homebrew Cydia Store, which is an application that allows developers to make available, for free or for pay, applications that utilize private calls and libraries. For both though, there is a rising problem for developers. This problem is piracy of their applications, which means people buy the application and patch it to work on the device’s of other people for free. In this article, I will tell you how exactly people pirate the applications, and how you can fight back. Keep in mind that eventually, one way or another, the application will get cracked. Instead of thinking with the mindset, “How can I not let this get cracked?”, it is easier to think like, “How can I prevent this from getting cracked as long as possible?”.

First, someone must buy the application. Normally, applications are encrypted with Apple’s FairPlay DRM software, but crackers have found a way around this. They then use “GNU Debugger”, or “gdb” for short, to run it. This program is available in Cydia. When the application is running, since they are controlling it via gdb, the cracker can dump the decrypted application from memory as it is running. Normally, after this, they stick the decrypted binary in the encrypted file, where the encrypted binary used to be, and then set a value called the “crypt id” from 1 to 0, to allow it to run decrypted. At this point, the application is fully decrypted, despite the intentions of Apple’s Fairplay DRM. Finally, inside of the “.app’ file, the key “SignerIdentity” with the value “Apple iPhone OS Application Signing” is added, to make the system think “It’s decrypted, it’s in the place that AppStore apps go, but it’s OK because this key means it is from Apple”. At this point, if you have added no protections to your application, the cracker is done. They simply upload their crack to a website like rapidshare.com and then distribute it as if they were super cool hackers that knew what they were doing. That’s it. Many applications have now employed additional protections though, like checking if the value “SignerIdentity” is in the Info.plist file, and although this does help, it can still be defeated. All the cracker has to do is search for the “SignerIdentity” string in IDA Pro, and then they can see what refers to it, then allowing them to see your check. The easiest thing they can do is simply patch the string to be “BLAHBLAHBLAH”, because then “SignerIdentity” can be in the plist undisturbed, and I do not think that there is any legit reason for “BLAHBLAHBLAH” to be there anyway.

All in all, most crackers are script kiddies that simply try using GDB to decrypt it, and then give up with anything more complicated than the standard “SignerIdentity” check. Read my upcoming article, “iPhone Piracy 101: Steps to Prevent it” for more advanced techniques you can use to prevent piracy of your application.