I’m stunned.
What happens when the app crashes and the user clears their preferences?
Now, I’m not encouraging willful interference and hacking of applications, but come on! There has got to be a better way than simply storing everything in plain view of everyone. I don’t want my license or serial number visible to other people who use the same computer. Another hiccup is that in demo modes, AppZapper and Disco store the number of remaining zaps or burns in the plist file. That’s fine up to a point, but at least check if the user (as in the screenshots above) has manipulated it. After so many years of Mac Shareware, something’s got to be done. Hack proof your apps. Please. You’ll get more business and not be exploited.
I have kept this short, since I don’t want to simply tell everyone how to exploit applications, but my general plea is, please, test and retest your apps to make sure they’re not hackable. If the biggest names in shareware are making these mistakes, it’s time run another audit on your work.
Update: Follow up article on shareware licensing techniques using Cocoa.
13 Comments so far
Leave a commentI think it’s up to the developer how hard they want to work to enforce these things.
If you don’t trust people who have physical access to your machines (and accounts!), serial numbers are probably not your biggest problems.
recorded by Scott Stevenson on November 9, 2006 5:53 pm | Permalink
I think the prevailing wisdom in Mac shareware these days is that:
a) All registration schemes are circumventable. How much of your time (and thus money) do you want to spend on it?
b) Someone who really wants your software for free, and has decent technical skills, is going to get it.
c) The more complex the system, the more likely it is to fail and piss off real customers.
Having said all that, storing registration information in the user defaults is a little too lazy IMHO; when an app behaves badly, one of the first things normal users are going to do is to blow away the preferences.
proclaimed by David Young on November 9, 2006 6:44 pm | Permalink
Absolutely. If someone is determined to hack an app, there is nothing to stop them forever. However, there has been a study revealing that 1 in 5 people will hack a shareware app if it’s simple enough. That’s a whopping 20%. Most of these will buy the app if they find that they can’t disable the security on it in at least 10 minutes. Surely it’s in the interests of the developer to at least make an effort! Snapz Pro X has been innovating in this regard.
Again, there are people who will simply gaze longingly at the shareware apps installed and fight the temptation to hack them since they don’t have any money. But that’s another story.
mentioned by Robby on November 9, 2006 7:14 pm | Permalink
I would like to hear your suggestions as to how to go about storing persistent license and other user data on a machine in such a way that it can’t easily be found, read and modified…
professed by David on November 9, 2006 7:42 pm | Permalink
Man, I heard this Cocoa stuff is easy. One line can do anything. Let’s see:
[[NSUserDefaults standardUserDefaults] setObject:launchesRemaining forKey:@"LaunchesRemaining"];
I wonder where that goes?
published by Brad on November 9, 2006 11:32 pm | Permalink
Yeah, I’d also like your suggestions!
disclosed by SeoxyS on November 10, 2006 1:20 am | Permalink
Ok, MacHeist and exams are keeping me busy, but expect another post on this soon.
stated by Ankur on November 10, 2006 3:39 pm | Permalink
Are we supposed to be able to view a larger version of these screenshots? It’s hard to be stunned by 3px text.
spoken by Olivier on November 10, 2006 6:57 pm | Permalink
Good point. Click on the images to view larger versions.
professed by Ankur on November 10, 2006 7:36 pm | Permalink
Can I ask you to please remove these images, or at least abstract the application names away from them?
These images really do serve no purpose other than to make life just a little bit harder for developers, and a little bit easier for would-be hackers. (Please note that I’m not talking about censoring the discussion of copy protection here, rather obscuring the details of particular applications and companies.)
As developers, most of us are only too well aware of the problems involved in securing our customer’s data. The trick is to do it in such a way that works without unduly burdening the customer AND without having to spend months of programmer time on the problem.
Again, since you were “stunned”, I think it only fair that you provide a solution, or at least an attempt at one. You have pointed out the problem (which is a known one), but not yet an answer to it.
regards.
revealed by David on November 11, 2006 7:00 am | Permalink
Done. Thanks for telling me off, actually, I’ll be more careful in future.
Coming soon
published by Ankur on November 11, 2006 2:58 pm | Permalink
Thank you.
stated by David on November 11, 2006 6:18 pm | Permalink
Leave a comment