Jeez, Paul, thanks for the thorough answer. I'm not new to public/private key encryption or digital sigs, I was just hoping not to have to do it myself. Due to the extra time involved. Still, if this is what the client wants, I'm obliged to get it done.
Part of your response suggests that if there was an existing framework that was openly available, it wouldn't do me any good because the bad guys would have the source code. I don't know if that is your thinking but this thought had occurred to me before I posted the question. I firmly believe that security through obscurity is no security at all. Well, if I proceed, I will definitely make use of all of your ideas. -Michael On Feb 24, 2010, at 5:23 PM, Paul Sanders wrote: > I rolled my own. I was not about to put all that effort into developing the > app and have someone steal my work from under my nose. > > For validating the license key, I would recommend some form of digital > signature rather than just a simple checksum. I used a checksum first time > around and it was quickly hacked. My current scheme also ties the key to the > machine it's installed on so that it can't be handed around, but it's > probably sufficient to prominently display the customer's name and email > address on startup and make it such that a key cannot be forged. > > The other thing you have to do is to find some way to stop the hackers from > patching your app to bypass the check. Again, I use a DIY form of code > signature to protect the app as a whole and I then check that the signature > is valid from here, there and everywhere at run time to make it difficult for > the hackers to patch the code in just one place. There are still probably > weak spots but my software is not exactly expensive so I think it's adequate. > > I originally used codesign to validate the integrity of the application but I > ran into some problems with it. Something (I have never figured out quite > what) occasionally adds or changes a file in my bundle after it has been > installed, thus rendering the code signature invalid. So I switched to my > own scheme where I calculate a digital signature for the critical files that > make up the app and store that in a separate file which I can check at > runtime. Again, this signature cannot be forged. > > If you're hazy about the concepts behind public / private key encryption and > digital signatures, this might help (I have never been known for my modesty :) > > http://www.codeproject.com/KB/security/EZRSA.aspx > > As might be apparent, I have put quite a lot of work into this, but I don't > have anything in a form that can be packaged up and given away. Nor do I > want to do that, in fact, but I hope this at least gives you some ideas. > > Not really a Cocoa question... Don't know where else you'd ask it though. > > Paul Sanders. > http://www.alpinesoft.co.uk > > ----- Original Message ----- > From: "Michael A. Crawford" <michaelacrawf...@me.com> > To: <Cocoa-dev@lists.apple.com> > Sent: Wednesday, February 24, 2010 9:54 PM > Subject: Looking for info on anti-piracy and trial-mode techniques for my app > . . . > > I've purchased apps from other developers on this forum, which have > mechanisms for limiting functionality until a valid registration code has > been provided. I'd like to include this functionality in my own app but > don't want to create it from scratch if I don't have to. To that end, I'm > looking for existing libraries, techniques, blogs, and/or suggestions. > > Thanks. > > -Michael _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
