How do you keep someone from stealing your app?

[Rakehellion]

http://arstechnica.com/business/2014/05/a-new-app-clone-grifter-shows-app-stores-weakness/

Apparently with a decompiler and a few hours of time, someone can grift your hard work and make an exact duplicate of your app.

What do you do to keep encryption keys secure?

 

[mosco]

The article mentions that the app was completely different than 1Password, so I am not sure what this has to do with decomilering an app. It looks like all they did was steal the name and icon.

 

[Rakehellion]

This one shows decompiling and decrypting the binary. This is about Google cracking down on copied resources.

Even if the first link I showed didn't elaborate on that, you know these technologies exist and app clones are rampant.

 

[smackababy]

Have you ever decompiled anything? Imagine code with every variable named so poorly you have to actually rename them all to make any sense.

Also, this isn't just an app problem. I am almost certain you can decompile any executable into awful source code.

 

[Rakehellion]

Have you ever decompiled anything? Imagine code with every variable named so poorly you have to actually rename them all to make any sense.

They're not trying to make sense, they're trying to make a buck. With one-click app clones, they don't have to rewrite a line of code.

I'm just wondering what I can do to reduce this.

 

[mrjminer]

There's not really a lot you can do. If it can be compiled, it can be decompiled. The only thing you can really hope for is using a method that has yet to be worked around, and then you would only have peace of mind until the new version of a cracker came out.

The only real way is to never distribute; SaaS for everything, basically.

 

[BrightCandle]

You can't really stop it. The force of law, the App store itself are about your only options. Doing anything technical can often be a problem for your users and reduce sales so its usually best to just live with it as a possibility and be aggressive about protecting your assets in court against those who steal the actual application. Its pretty rare this happens.

The more usual case of course is that users copy the application and use it without paying, and that follows the same principle, its best not to go down the route of thinking to try and stop it or suing those that do it. They probably wouldn't have bought it anyway and often they are increasing your sales so its usually fine to let it be. But defending against other companies that steal from you is different, you need to make sure you assert your copyright protection.

 

[purbeast0]

i know this isn't really about pirating in general, but it made me think about pirating since it is about "stealing" apps.

as someone who has been a big pirate in my younger days, i just have come to accept that people will pirate. i have mobile apps on android and ios and i've seen them in the places you find pirated stuff. there really isn't anything i can do about it so i don't worry about it. as a former pirate, i know that just because someone pirates something 100% does NOT mean that it's a lost sale. i just kind of think of it as the loss prevention thing in retail stores. there is a percentage that they just know they will lose and that is in their numbers and everything.

it's bound to happen so there really isn't much reason to worry about it.

 

[Mark R]

One way of discouraging it that I have come across is to use a modified (non-standard) encryption system.

A common component of many encryption functions is a block of "random" numbers called an S-box (substitution box). The idea is if you want to encrypt "5", you take the 5th number in the "box", and then move on to the next stage of the encryption.

The trick I've seen is to include a copyright message in the S-box. This way, a 3rd party can't copy your app without including the encryption module, which must include your copyright message or it won't work.

Not all encryption algorithms can be modded in this way, but hash functions (and by extension a group of encryption techniques which use hash functions internally, called Feistel ciphers) can be.

Obviously, such a "doctored" S-box won't be as good as a purpose designed S-box, and can't replace it. But if you're already using a TLS connection and standard certificates, then simply adding your custom encryption is unlikely to hurt.

 

[Rakehellion]

i know this isn't really about pirating in general, but it made me think about pirating since it is about "stealing" apps.

as someone who has been a big pirate in my younger days, i just have come to accept that people will pirate. i have mobile apps on android and ios and i've seen them in the places you find pirated stuff. there really isn't anything i can do about it so i don't worry about it. as a former pirate, i know that just because someone pirates something 100% does NOT mean that it's a lost sale. i just kind of think of it as the loss prevention thing in retail stores. there is a percentage that they just know they will lose and that is in their numbers and everything.

it's bound to happen so there really isn't much reason to worry about it.

What if someone pirates your app an then sells the copies for a profit? Is a line drawn there? That's what this is.

 

[purbeast0]

What if someone pirates your app an then sells the copies for a profit? Is a line drawn there? That's what this is.

by the time that happens, chances are i would have already sold a decent amount of apps and had a good rating on them, with a history of other apps that are highly rated under my name, so the chances of people knowing which one is the "right" one and which isn't would be pretty obvious. but there would be the people who don't know.

and at that point there wouldn't be much i could do about it, other than maybe try to sue or something. but since there isn't anything i could do about it i wouldn't really worry about it, again, unless they started to make a ton of money that i should have been making.

 

[Rakehellion]

by the time that happens, chances are i would have already sold a decent amount of apps and had a good rating on them, with a history of other apps that are highly rated under my name, so the chances of people knowing which one is the "right" one and which isn't would be pretty obvious. but there would be the people who don't know.

If someone is able to recognize your app, then chances are they already have a copy which makes this whole scam pointless. This scam is only done on moderately successful apps who are in the sweet spot of obscurity and profitability.

And the average person isn't tech savvy or observant as you think they are. If there's one copy of your app in the store and are 5 clones, the choice is less than obvious.

People shouldn't have to look you up on Wikipedia to avoid getting scammed.

and at that point there wouldn't be much i could do about it, other than maybe try to sue or something. but since there isn't anything i could do about it i wouldn't really worry about it, again, unless they started to make a ton of money that i should have been making.

So the "give up hope" solution. That isn't acceptable to me.

 

[Cerb]

If you publish through a storefront like Apple's or Google's stores, and they won't do anything about clones, you're generally screwed, because you probably don't have the means to try to find the copycats, much less take them to court. Apple, Google, Microsoft, and anyone else like them with their own storefronts, needs to get it together.

For any app that must be all local, I don't think there's any other way to go about it. Technical solutions can and will be worked around, or simply copied successfully enough that there won't be a need.

 

[Elixer]

One way of discouraging it that I have come across is to use a modified (non-standard) encryption system.

This is easily hacked around as well.
In fact, a well known publisher tried doing this, and it was hacked in under a day.

Bottom line is, there is nothing code wise you can do that is foolproof.
You need to (c) your work, then, for every violation you see, you send the cease & desist letter to them, and tell the google/amazon/apple store about the violation.

Sadly, that is about it.