I'm trying to add a bit security to my app. I have a server that the app connects to and I am thinking of sending a checksum of the binary when making a connection. If the checksum does not match with what I want. The server wont alow any connection.
I´ve read a couple of articles of how you can increase security of your app and many mention checksuming your binary but haven´t found any code explaining how you actually checksum your binary during runtime.
This one for example
http://www.seoxys.com/3-easy-tips-to-prevent-a-binary-crack/#ptrace
Other than that, from what I have understood, there is no way of knowing the exact checksum before hand since Apple will sign when submitting? I could however disable the check on my server when submitting a new version, then reenable the check when I know the checksum. Not a perfect solution but what solution is?
Anyone that can point me to the right direction?
In short, this is a very difficult thing to do. The reason why, is that you don't control the client code once it leaves your hands. Even if you get everything working perfectly with the checksum, and attacker could still take a checksum of the binary, modify it, and then have it submit the previous checksum instead of the new one, by modifying that code. In fact you would probably make it easy for him/her by using a function like _getBinaryChecksum() that he can just change :-)
If you are going to do this, use a cryptographically strong hashing algorithm like SHA-256. You are right that Apple signing it will change the hash, so you will need to program the server with the hash of the file after Apple signs it. Also keep in mind that any change at all to the app will greatly affect the hash, so you need to keep a historical list of previous hashes so you don't shut out customers who haven't upgraded yet.
You may want to check out these StackOverflow question, as it sounds like you are trying to do something similar:
Security When Using REST API in an iPhone Application
https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892
Related
How easy can it be for people to see the code / inner working mechanics of a published iOS app?
E.g if there was a certain algorithm or function/class, how easily could people be able to read that?
If it’s possible, is there any way to camouflage or encrypt it so the code can’t be read?
Cheers
A certain algorithm or function/class is not going to be visible to anyone just from having access to a published app. The apps executable has been compiled and optimised so the original source does not even exist inside it. The executables are also encrypted and while can be decrypted if you jail brake a device even then you won't get much info.
While a lot of information about how an app works can be deduced by examining how it works individual algorithms is not something to worry about.
Plus what makes you think anyone is even going to bother trying for your app.
EDIT
As there was some confusion here is a link which talks about the binaries being encrypted when producing universal and thinned ipa files:
https://developer.apple.com/library/content/qa/qa1795/_index.html#//apple_ref/doc/uid/DTS40014195-CH1-APP_STORE_CONSIDERATIONS
I've used Parse to create an application for iOS using the iOS SDK downloaded from the Parse.com website.
In order to create this kind of application the ApplicationID and ClientID keys are both embedded in the iOS app and sent from the app to the server when the application is used. This essentially puts the ApplicationID and ClientID in plain sight so any user can write a small program which would repeatedly call the various Parse apis of my application.
I have followed all the security advise in the parse tutorials and all the data has appropriate roles and ACLs.
HOWEVER a single unsophisticated user could bring down my entire application simply by calling the login api of my parse app more than 30 times per second.
Am I missing something or is this a FATAL flaw in using Parse.com as a backend from an iOS app?
Does anyone have a solution to this problem?
You can always reduce the chance substantially by applying
Security by Obscurity ;-)
You can encrypt your keys and place decryption function right inside your JavaScript. You can further make it harder to find by hiding that function in the middle of a large nasty script that nobody would enjoy, and then minify your JavaScript (which you should be doing anyway). I am sure it is possible to get even "more creative" and reach some reasonable perfection :-)
It remains, however, possible, in principle, for a sufficiently motivated hacker to reverse-engineer your program and get the keys. Still you can make it hard enough, so the hacker will likely look for easier targets, of which there is plenty as we know ;-)
See also here
for more ideas.
from one of the stackexchange questions Here,its proved that we can decompile the iphone application to its source,Now here comes the question how can we protect the ipa file/iphone application from cracking to its source?i have already verified this answers
here 1
method 2
but sad thing is it fails to protect the code,any updates to prevent app to source code
You can't really.
The iOS runtime on the device needs to be able to interpret the binary, so the binary has to be there, unencrypted and ready to run.
You could obfuscate it, by running it through a tool that scrambles method names, property names and so on. .NET and Java have tools that do this but I'm not aware of any for Objective-C, so I think you're on your own.
(Tools like anticrack, the one you linked to, will work for a short time until someone comes up with a way to reverse what anticrack does - but because your app eventually has to be there in a format the runtime is ready to run, all you can do is make it more difficult. It's like the age-old arms race of pirates vs protection mechanism in desktop applications).
This has been much discussed. Generally, you make more money spending time improving or promoting your app, then spending time trying to prevent it from being cracked in any way.
Is it possible to make app not launchable if it has been cracked and installed from installous? I don't want to see my app in installous
It's not that easy and it not answerable within some words or code snippets.
But you might check this:
http://www.shmoopi.net/ios-anti-piracy/iphone-piracy-protection-code-tutorial-2/
http://www.cocos2d-iphone.org/forum/topic/7667
http://thwart-ipa-cracks.blogspot.com/2008/11/detection.html
The read also here:
http://www.learn-cocos2d.com/2010/05/ignore-everything-youve-heard-about-app-store-piracy/
There are ways to detect whether your app is running on a jailbreaked device or whether your app has been modified (aka cracked). Take a look here and here for example.
From my point of view all you are getting by using these methods is a waste of time. Maybe you can make it harder for potential crackers and keep away the script kiddies. But you won't get that far that no talented cracker on earth would be unable to crack your app. Even one single cracker on earth who's able and motivated to crack your app is enough to upload it to hundred's of sites.
If really big companies fail at protecting their apps I really doubt that you will achieve it... so: wasted time which should be better spend on improving your app.
Probably not, because the part of cracking your application is to remove all restrictions (registration, detection of jailbreak, ...).
I was halfway through developing an iOS app but have sadly lost the development files (it's a long story). I have the latest version still on my iPhone. Is there some way of recovering it or even just part of it for use in Xcode?
Thanks.
In theory you can decompile the binary, which should be backed up in your iTunes backup. It is not a simple process, and if you encrypted the binary you should maybe just give up. The result of the decompilation will be nothing like what you started with -- rather it will be a bunch of cryptic C functions that don't necessarily make sense but which will compile back to your app. You might get something usable. Assuming that you actually are able to decompile and rebuild your app, the challenge you will face is in the future -- maintaining/updating cryptic code.
So my advice is to check the possibility of local backups/checkins (as per other answers here). You might try undeleting the files from your hard drive (DON'T save any more files to your disk, just download undelete software and try it). Short of those things, you can take to heart the advice of my Comp Sci 101 professor. I quote:
Don't fret - it's always easier the second time around.
Good luck.
If you have Time machine enabled on your mac you may want to look in there. But other than that I don't think so.