Some time ago I saw this: http://www.reddit.com/r/Android/comments/lqys0/this_makes_me_sick/ (http://www.reddit.com/r/Android/comments/lqys0/this_makes_me_sick/)
Basically, some guy's app was stolen, the graphics were changed to remove his credits, it was then resold under a different name and had malware added.
Can you think of ways this kind of thing could be prevented using GLBasic?
One way I can think of is to check to see if media files have been tampered with by using a checksum like CRC. There is a thread about CRC in GLBasic via INLINE here: http://www.glbasic.com/forum/index.php?topic=3846.0 (http://www.glbasic.com/forum/index.php?topic=3846.0)
I know Shoebox compresses but I'm not sure if it encrypts too. I'd assume not, since the manual doesn't mention that. Probably not best to use ENCRYPT$ for whole files either because it doesn't like zeros, i.e. if you try to encrypt and decrypt a string which contains the equivalent of CHR$(0) it doesn't work.
Wait, so now it's not just the users who are pirating apps but other "developers" are also pirating apps? :blink: Geez...
Seems like piracy is becoming a bigger and bigger problem for Android.
Come up with your own packaging/encrypting/compressing algorithm.
Being non-standard is the best way for anything not being worth the trouble, so if your data is (a priori) unreadable it takes patience and time to disassemble the application and figure out what does it do and what the data is.
Using shoebox is a start. You could also call a website with perhaps some key code to check program validity...
It may be hard to determine if any graphic files have changed, except maybe checking the file size, which may be an option. There may be some kind of check sum you can perform, not sure.
But if you are worried about somebody taking credit for your app, don't 'burn' your credits into an image file.
Have 'print' routines (using any method you wish) that print the credits to a screen, therefore the credits are created and displayed dynamically at run time.
He may have a binary editor that could search for your company name ('wampus' for example) and edit that at the byte level. So, be extra sneaky, create a custom routine that returns 'wampus' using some confusing code, such as:
FUNCTION GetCompanyName$:
LOCAL s$ = "ZDETFBHIJKYLMNAGOPQRSUVCWX" // Every letter, scrambled
LOCAL name$
name$ = MID(s$,25,1) + MID(s$,16,1) + MID(s$,14,1) + MID(s$,19,1) + MID(s$,22,1) + MID(s$,21,1)
RETURN name$
ENDFUNCTION
This may be hard to follow at the binary level, unless there are reverse compilers, I'm not too familiar with the 'hacking' process! If so, make it even harder with weird 'GOTO' statements, loops that do nothing much, etc, call other functions for part of the name, etc.
Damn hackers, if only they would apply their 'skill' to something more productive, like game programming! 8)
Hmmm,shouldn't have code signing stopped this kind of thing?
Except that I think shoebox is broken, would love to see this fixed so it can be useable. I tried to use shoebox a while back and it wouldn't load audio files, nor would it load external audio files if you are using the shoebox just for graphics. Major bummer, it is a great concept.. especially if we could encrypt it, that would be awesome.
Quote
Hmmm,shouldn't have code signing stopped this kind of thing?
I think it's only meant to make it more difficult for developers to get their own code uploaded... it surely doesn't seem to slow down anybody else down.
Wow... That's enough to put anyone off of developing for Android... Sounds to me that Google needs to rethink a few things.
I must admit I was surprised when I found out Android used Java, as the ease at which people can reverse engineering Java apps has been known about for a long time. I've never been a fan of Java.
Might been gernot should add http://developer.android.com/guide/developing/tools/proguard.html as part of the compiling? This make much harder to decompile code. Could do that when debug is disabled.
Shoebox can still use for graphics, which normally here it's steal, not audio. But would been nice if it's worked for audio, eventually a separate one.
Edit: did not read it's also cannot load external audio files, if used for graphics. So here it's unable? That should been fixed, so we can use a least external audio.
Here's the old thread that talks a lot about shoebox...
http://www.glbasic.com/forum/index.php?topic=3760.0
If you are concerned about exposing raw media and don't mind a bloated executable but stand-alone file; store default media DATA (http://www.glbasic.com/xmlhelp.php?lang=en&id=238&action=view) files in code and load straight to memory in runtime! If the executable is decompiled, then the media and decrypt source it exposed.
I thought with all the free trials and the low cost of paid android and iPod games that piracy would not be on the same scale as the likes of the Amiga etc. So I thought I'd have a look on Google to see how prevalent it was.
I searched for "+hacked +android + games" and got the result" "About 19,400,000 results (0.12 seconds)"
So I tried the same with +hacked +iPad + games and the result: "About 6,400,000 results (0.30 seconds)"
6 and a half MILLION results for the iPad! What chance does anyone have when there are videos on YouTube titled "Android Game Hacks by request"
What about free versions of your game with in-game purchases? Or have they hacked that as well? :giveup:
In App purchases for iOS has been hacked also. You can install a "hook", and when you try a InApp purchase, it answer "ok" (does not work with all InApp purchases).
Matchy's InApp wrapper for GLB fails miserably. Any GLB InApp purchase can be bought for free.
Anyway, do not lost your slept because piracy.
1.- If you sell only a few copies, no body will hack your apps (my case)
2.- If you sell a ton of copies, some hacked ones will do no harm (Infinity Blade case)
3.- Users who pirate mobile games will not buy them anyway (John 'Pirate' Smith's case)
In any scenario, piracy will not "affect" you.
Also, Android/Google is changing the way apps are checked. Currently, an app is marked by android as "non-copiable", and that's all.
In a (near) future, your app will have to call Google servers about legimit installation: each time your app launchs, it will ask google "hey, I am XXXX installed on unit YYYY by ZZZZ account. Is this correct, does him bought me here?". Something like InApp purchases.
More info at http://developer.android.com/guide/publishing/licensing.html
When Google switch off the old system and just use the new one, someone will have to write a wrapper or we will not be able to publish in Android market (at least with paid apps).
And what if the user does not have a dataplan and so no internet except at home with wifi? I would hate you if I bought your game and I'm not able to play on the bus to school... :-)
Another idea would be to convert sprites to DATA and load your graphics like that.
Graphics without any form of encryption are ripped/changed very easy, obviously ones in a separate folder for the world to see are the easiest, ones that are included in the program via data statements are not much more difficult either unless they are encrypted or stored in such a way that makes them not so obvious. A simple screengrab with a byte check or disassemble gets around those most of the time & even a noob hacker can track them down, not including graphics rip tools that are available.
I hack graphics myself purely for my own use. For example the way I like to code some of my games is to code 1st then deal with the graphics afterwards. If I have not wrote a similar style of game before then I tend to rip graphics from some other game of that style & append the word "Rip" to the start of the filename. Once the coding is complete or close to being done then I create my own graphics replacing the ripped ones. Having a nice set of graphics to work with while coding helps with the visualisation & aids with the making the project at hand.
Sometimes I have ideas for graphics before a project, In that case I create them 1st before coding begins, same goes for audio/sounds as well.
None of what I rip gets left in the final project no matter what problems I have in creating my own versions, hence the rip part to the filename so I do not forget the source of the item.
The thing is what ever you code someone somewhere can "un-code" it & you will never be able to stop that, the aim is to limit the amount of people that can "un-code" it. Some basic encryption is a good way to stop the casual hacker wannabes along with some hash or crc check to your files at runtime to see if they are altered in anyway & stop the program at the start if things don't add up.
Lee
Embed each copy of the software with a unique code that the software is aware of, but the user is not. Using this as a salt value when processing a serial number can be pretty effective at stopping people from simply sharing serial numbers.
I think there are some restrictions placed on using encryption in iOS apps because of some US paranoia dating back to the second world war. Special exceptions have to applied for. On the other hand basic encoding is fine and can be relatively quick. Some types of checksum can be very quick too. For example, if you use LOADSPRITEMEM, then decode your encoded sprite, then run a checksum, it can all be done without an objectionable delay.
Personally I'm not interested in trying to stop piracy. I think its impossible and that people who can afford to pay for games will do so on the whole. Anti-piracy measures have never worked and have always ended up hurting paying customers. I remember losing Amiga games because the original game disk would fail and the copy protection would've prevented me from making back-ups for personal use anyway. Things have only gotten worse since then.
I just want to make things a little more difficult for app thieves wanting to pass off someone else's work as their own to make a profit. Actually, scratch that. I want to punch them on the nose. Failing that, making them do a bit more work in compensation for all the work of others they rip off is the least I can do.
Piracy can actually be a very good thing. A recent BBC tv programme, Panorama, clearly stated that those people that pirated media also tend to be the people that spend the most money on media - giving proven facts and figures to back up their argument. Pirates will also purchase original titles that they've pirated if they like them and back catalogues of those artists etc.
Most of the time pirates wouldn't purchase or use the media they are pirating anyway - and most of it just ends up stashed on a CD/DVD/HD never to be used.
Piracy also promotes good media - word soon gets around if a product is good or bad. The good stuff will get pirated, but it will also sell more copies - potentially more than it would without piracy promotion.
What about an online worldwide copyright for $20 registration and $10 a year to renew?
At least you would give you proof enough to send a 'cease-and-desist-or-else' threat to any infringer.
http://www.worldwideocr.com/tes.asp (http://www.worldwideocr.com/tes.asp)
What about checking for an IAP that's impossible to buy from the App? Or one that does not exist?
If you get positive feedback theres a cracker proxy. Log the ip, and device number and sue.
QuoteIf you sell a ton of copies, some hacked ones will do no harm (Infinity Blade case)
That's the one I stick with. If anybody is making a living with GLB created apps (anyone?) then perhaps you want to be concerned, but until then I would be seriously happy if I was hacked. At that point it's likely I had at least covered the hardware costs let alone the software costs :)
Cheers
Quote from: Crivens on 2011-Dec-06
QuoteIf you sell a ton of copies, some hacked ones will do no harm (Infinity Blade case)
That's the one I stick with. If anybody is making a living with GLB created apps (anyone?) then perhaps you want to be concerned, but until then I would be seriously happy if I was hacked. At that point it's likely I had at least covered the hardware costs let alone the software costs :)
Cheers
You are true. Im sad because none of my apps has been pirated :'( And no, it is not irony.
Quote from: ampos on 2011-Dec-04
Matchy's InApp wrapper for GLB fails miserably. Any GLB InApp purchase can be bought for free.
Whoa. :glare: That was our project and I delivered code that you asked for that worked at that stage.
Sorry Matchy if i explain myself bad. I mean that your code is one of yhe in-app system that can be pirated. Nothing wrong about you.
So then its not wise to use IAP now? Damn i needed it real bad for my next project. :(
I think IAP are fine, so long as you do what Kitty suggested:
QuoteWhat about checking for an IAP that's impossible to buy from the App? Or one that does not exist?
To see if they have IAP 'hacked', just initiate a purchase from your app for a fictitious add-on.
If it returns 'success' (a valid IAP should fail) then you know IAP is hacked.
Then you can have fun! Change all your characters to 'pirates' or something! :D
[Edit]
And/or make it look like the IAP succeeded and start messing with them with random glitches, etc. (or ads?)
Or display a jiberish error such as 'Invalid flux capacitor detected' and when they post the error to a forum then all the readers know they hacked their IAP and can make fun of them! 8)
In the end, you will spent more time protecting your game than making it.
Just do the game, and if it is pirated and the effort is worth, "upgrade" it to the full-protection-mode.
Hello guys, thanks for fast responses, I do not really want to put any fake IAP, I just want to put an IAP of £0.69 so you are able to buy a ticket for something. How much would that be hacked?, that is my only fear. Just trust me this game is gona be the bomb :) but I can't do it without IAP, IAP is vital.
thanks again
kind regards
-Joe
Well, using the above, you can detect when a device has IAP hacked.
If it is hacked, then don't allow the IAP.
No risk, nobody can get your add-on for free.
Just create a function such as:
FUNCTION InAppPurchases_IsHacked%:
// Purchase a fake add-on called 'hack_check'
IF IAP("hack_check") = TRUE
RETURN TRUE // IAP is hacked on this device
ELSE
RETURN FALSE // IAP is NOT hacked!
ENDIF
ENDFUNCTION
The function IAP() would be your normal IAP function that would check Apple and try to purchase an add-on, and return true if succeed, or false if fail.
[Edit] To be clear, this check is a global check to see if the device IAP has been hacked. This doesn't check a specific (valid) IAP item. I don't know the nature of the hack, but I read it may be proxy based. If true, once IAP is hacked on a device, ALL in-app purchases will by-pass Apple and return 'success', so there would be no way for a hacked device to actually purchase a valid add-on from Apple, so there would be no way that device could pay you for an item anyways.
Just give them an error if you determine it's hacked. You could be subtle like "Error communicating with Apple", or call him out with "IAP has been hacked on this device, tough luck!".
Slydog, really it is an easy solution for the InApp hack.
Does that mean that before we perform any valid IAP we need to check this false IAP to identify if IAPhas been hacked?
And what about replenishable IAP, because this is not only bought once, but as many times as needed by the player.
Do you need this hack check for replenishable IAP etc?
Thanks
I think the hack works by not sending any iap data to apple but to a locally running "webserver" that just returns "TRANSACTION_SUCCEEDED" or so, no matter what params you send. So if you try to "buy" the IAP item "dog_poo", which does not even exist in iTunes, it will succeed.
QuoteIn the end, you will spent more time protecting your game than making it
Exactly. The amount of effort put into this could be put into a whole other game. Seriously the amount of money saved is probably nowhere near potentially what a second game could make. And lets be fair if you amazingly make the next Angry Birds then the amount of money you make anyway you wouldn't really care about a few hacked ones.
Cheers
And my point is if any of us actually ever get a decent bottom line then it's worth thinking of then. Otherwise in my opinion it's better financially to concentrate on your next game. Plus to go viral then you would need to have a pretty big game and most of these things are for JB phones. Even though everyone goes on about it I only know one person with a JB iOS device and about another 20 others without.
Plus no matter what you do if someone wants to hack it then they will hack it.
Cheers
Out of interest does anyone know roughly what % of hacked games work on a phone that has not been JB?. One thing for sure is the percentage of JB devices is minuscule compared to the non-JB ones.
Obviously the original subject of this topic was about graphics swapped out & resold which is the most basic hack. Not having any devices or clue on how you upload Iapps, Android apps etc means most what is being said just flies over the top of my head. But I understand piracy & hacking so part I am keeping up with.
Lee
Graphics being nicked? Just keep it in a shoebox. It's not encrypted I don't believe and it wouldn't take much to "hack" it if you know what you are doing (I believe it's just all media one after the other in a single file and then pointers at the end to where to find each media item), but it would stop probably the majority of people who could be arsed. Plus it's built into GLB (and hopefully bug free now!) and so if Gernot ever makes it more secure (eg. proper encryption) then your existing code will simply work with that too.
Cheers
with that such of "purchase" for a unused item, whould that not need to insert your iTunes password and can't been done in the background? Its elsewise a nice idea to checking valid of a purchase. Howovier I dont have plan using it on my game yet. Here we might need write support to Apple how its can been done for prevent that.
Shoebox cannot been used, if audio cant been used. I would also dont mind if its only can been used with graphics and data, but not audio. I have not tested shoebox, but its a shame if its happens.
I do pretty sure using ProGuard as I linked in a previous post would been much harder to hack your game and release it with malware. So I guess its should been a part of the compile when no debugger have been selected. Java is sardy elsewise really easy to decompile if you dont do thing like that.
You can also validate the credits string later in the game, so if its got hex removed away, then the hash value would been changed too and then act like a pirate version. I planning do some sort of that. You could also crypt your credits names as well so its harder to hex remove it.
If I ever released an Iapp or Android game (don't hold you breath & that happening :D ) I would probably implement the logo & the copyright as vector images via data statements to either display directly or create a sprite from them at the start of the program. That way there is no ascii that can be changed in a hex editor nor a real bitmap that can be changed/swapped. I would write a separate program to generate the data & just paste in the output to the main game code.
Sure it doesn't fully protect the game from being hacked but will stop the casual "wannabe hacker but can't be arsed to learn how to hack fully" type of person.
If I did ever get to the stage that what I was creating sold loads of units then I would take a more indepth look at it.
Lee
Maybe although unless you have a good compression algorithm for your data statements then it will be a lot bigger than just including the graphic files. Plus any changes and it will need to re-compile unlike external graphics.
Shoebox should be fine for graphics (and for audio unless Gernot hasn't fixed it yet) and is more than enough to stop the casual "wannabe hacker" if you ask me. Put it this way, as a programmer try extracting the files from a shoebox manually. I think I know how to do it from within another language (and possibly in GLB itself) but only if I'm right about the format. And if Gernot just tweaks it to be slightly more cunning (doesn't have to be full on encryption or compression but a simple mirroring of data at certain points would be enough to cause issues and a complete mirror of a file would be fine if an image file isn't just concurrent data (ie. obvious it's backwards)) then wham your existing hard to get into format becomes even more air tight at the touch of a compile (and re-build of shoebox at a guess unless shoebox version control is used).
Personally I would also quite like the ability to create and amend shoeboxes (add and delete from existing shoebox). My graphics routine for example resizes everything and places it into another directory (so doesn't have to resize on the next run), obviously exposing all images to phone explorer programs once out of the shoebox. But if I could instead create a second shoebox and then add the resized images into that then that would be much better.
Nudge-Gernot-Nudge ;)
Ahem, but obviously I would quite like the full on encrypted shoebox. Otherwise if someone knows it was written in GLB (esp if you plaster it all over your game) then they can just write a GLB program to extract all data. Not hard. With encryption, and a password key etc against the shoebox then no-one can get the data back. Not even you if you forget the password... Heh, or forget that it's obviously hardcoded in the code :-[
Cheers
Does anyone know what percentage of piracy exists in different platforms roughly?
this thread is really not a talk about piracy, which he is much more concern about stealing software and release them with malware, which I agree.
I still see obfuscator is the best way as long with some drm as well hash checking. Its could been cool if we could scrample the picture and then descrable them again directly under loading (as well checking filesize etc).
But dont fail the program directly when flagged, but degrade the game as little well (mine would been harder to get maximum stars in each level, if not impossible). You might do a Piracy on a another check (crypted of course).
Also piracy is also a problem too, but not like when dev stealing other dev apps.
Quote from: spacefractal on 2011-Dec-10
this thread is really not a talk about piracy, which he is much more concern about stealing software and release them with malware, which I agree.
I know this is not the subject of this thread but I thought someone could help me with this doubt. I apologize for the off-topic.
hehe yes its somewhere the same, since we all want to do something to protect thing like that.
Im do not sure the problem of piracy, but its also happens even with GlBasic as well, if you dont do any protect thing (last time its even happens with the bird game). I do think its can been worser for Android simple because you can install directly without big issue and hence easy to piracy.