Ever since the App store has come about, people have wanted to crack apps so they don't have to pay for them. The most famous app or this to happen to is Super Monkey Ball, but now almost every paid app is online for people to download for free. It seems developers such as you and me are losing the fight, but are we?

There are a couple of ways to find out whether the app a user is running is cracked, and you can implement this in your app so you obtain all the money you deserve (the procedure is taken from the website at the bottom of the post).

There are 3 approaches to detecting a cracked app at runtime. If you downloaded your cracked app (IPA) from somewhere like RapidShare then you'll notice that the timestamps of Info.plist and your application binary are different.

To stop hackers, we'll look at Info.plist modifications. There are a few easy checks that you can perform at runtime to see if your Info.plist has been modified after you've built a distribution release:
Check the size of Info.plist. You know the size of the file after it's been built so hardcode a check into your application, rebuild for distribution, and push to the App Store.
Check if Info.plist is plaintext XML. The distribution copy is converted to a binary .plist and most IPA cracks convert this file back to either UTF-8 or ASCII. Again, do this check in your application before pushing it to the App Store.
Why the hell are they modifying Info.plist anyway? Well... the cracker added the key-pair {SignedIdentity, Apple iPhone OS Application Signing} to this file. Check for this modification at runtime - it shouldn't be there!
The first two points are simple and are left as an exercise for you intrepid and enterprising App Store developers.

The third and last point is what I'll expand on below.

Well what the hell is that doing in your Info.plist? It's not part of the XCode template and it's definitely not something that you put in there.

This key-value pair basically tells the application loader that the application is decrypted and can be trusted. Consider it to be a skeleton key that lets you run any application on the iPhone.

I'm not sure of the implementation details of the application loader so don't bother asking me.

The one thing for certain is that THIS KEY-VALUE PAIR SHOULD NOT BE IN ANY APP STORE APPLICATION. If you do find it during runtime then you know your application has been compromised.

Below is some rudimentary code that checks if this key-value pair is present in your application bundle's Info.plist.

Now you're going to say, how come you're not checking for the value of the key-value pair? Well, I say, you don't need to. If you didn't put that key-value pair into your Info.plist then you definitely didn't put that key in.

Source: How to Thwart iPhone IPA Crackers

Would love to see stats from a smart dev who didn't actually block use of his/her app, but sent back usage data. My guess is that most people (ie. 99.9%) wouldn't bother jailbraking then downloading illegal copies just to save $3 or whatever.

I'm a developer on the app store, but I've also developed plenty of other software elsewhere. My opinion is that you're wasting your time, the hackers will figure out an easy way around this, and then you're back to square one. You should accept that piracy happens and move on.

Your time would be better spent improving your apps, and interacting with your customers. If you can create an environment in which they want to pay you, and not steal from you, then you've won

Just my 3 cents...

The only problem with this is that more and more people are discovering how easy (or easier than they thought it would be) to have apps on their phones for free that the should have paid $15 for.

Couldn't agree more.

There's only 4 kinds of people.

1. People who don't want your app. These aren't potential customers, so no protection will help here.

2. People who will buy your app, even if a crack exists. Spending more time on copy protection will only detract from their experience with your app. DRM can cause extra hurdles, making the user experience worse. Either that or you'll spend time on implementing protection that could have been used on bug fixes and new features.

3. People who won't buy your app, but will copy it if a crack exists. These people don't deserve ANY time or thought. Just pretend like they don't exist.

4. People who might buy your app... depending on how they perceive your company and if an easy crack exists. If you want to spend time on these people, then I agree with rustyshelf's approach. Be nice to them. Don't treat them with contempt. Otherwise, ignore them... they're not the majority of your users.

Also, those checks seem like they'll be pretty easy to get around.

Fuck, wrote a long thingo about how I'm a pirate, but it's just easier to pay for iPhone apps, and then went to check the OP's profile to see if he had a link to this purported $15 app that everyone was stealing, but then it didn't open in a new tab, so when I went back my whole long stream of consciousness post was gone.
Oh, well. The gist of it was that the majority of people will not hack hardware to get free apps. I can steal music and movies and they work without me having to hack my hardware. A lot of apps are cheaper than music or movies, the transaction is painless and quick, and the results are immediate. Like rustyshelf says, look after your customers. $15 bucks.. bit steep? What does it do. If it's any good I'll JB my phone and nick it...

Cat and mouse game with the hackers usually being the ones one step ahead. DRM, hack protection, copy protection, etc, just don't work. They ALWAYS get circumvented. They just piss off those who are always gonna pay for your app. Ignore the others.

The best example I can think of is Spore (although not directly related to iPhone apps). Extremely tight anti-piracy and all it achieved was making it the most pirated game ever and pissed off the loyal customer base.

Make good apps and target them at honest ppl.

And price your app so it doesnt turn people off. Its better to sell 100 at $1.99 than two at $15

Marketing 101, providing bonus stuff for download via the app, but only on a valid serial number and only one download per customer. Obviously the legal user has given their email address, so they know first, go get the bonus, and pirate gets left in the cold. Bonus stuff contains instructions for how to re-download should the original be lost or be faulty.

Otherwise, piracy is a fact of life. Time and money spent on honest customers will earn you reputation and get you more customers. "Going to war" only makes a developer look like Macroslop.

Good theory, but how do you know when a customer contacts you for technical support whether they are legitimate purchasers or not?

For instance, one of my App Store applications (selling for $2.99 US) requires simple configuration to work with each customer's hardware. It's not too difficult, and we have instructions on our website that explains the process, but I still get upwards of 20 queries per day asking for help in various situations.

It's hard enough trying to justify the time taken to respond to these queries when each sale only collects $2.99, but if there's a chance that the person asking the questions hasn't even paid for the application at all then what's the point?

Some people writing apps for the iTunes store do so for fun, as a hobby or as an aside to their current business. Others, myself included, do it to make a living. Any way you do the maths, selling apps at $3 each and trying to earn a reasonable wage is difficult, so anything that can be done to improve income (eg by making it a bit harder to use the app without paying for it) is a worthwhile exercise.

Considering that the vast majority of iPhone users are afraid and unwilling to jailbreak their iPhones, I'd say that the threat of IPA Piracy is quite minimal.

i have a first generation iphone so it's always jailbroken. i downloaded a few apps from these various places... namely metro melb and pocket weather. i used them everyday and decided to buy them. i've now removed all hacked apps from my itunes and am only using bought or free apps. what's a couple of dollars here and there? $2.50 for pocket weather is well worth it.

Everyone who emails in gets support.

It'd take longer to check if they're legitimate than answer their email in most cases. I guess we might feel a little differently if the emails were more complex to answer.

Maybe you should put instructions into the app or change the UI? 20 a day is a significant amount.

I understand how that would feel true, but my opinion differs. I think it's more important to have a better product than your competitors rather than better protection, so that where we spend our time. I'd rather lose a small % of users, but have a bigger market and mindshare.

Some simple measures might be good, like making sure you download the most common serial number archives before every release and blacklist all the serials (this would be for Mac apps).

I'm not sure why we're having this conversation for iPhone apps... they'd have to be the least pirated content of the last 20 years.

Especially if the protection gets so intense it starts to "punish" the paying users. I raised a similar security issue with a PC based app we use at work and help desk hadn't even realised that the security effectively prevented some valid users from doing their job properly.

On a device like iPhone, where most users would control their choice of apps, this sort of protection level would be economic disaster, yet so many developers get frustrated and go too far.

Yes, but we're a tiny minority in comparison to the rest of the 3G iPhone population.