Earlier this week, we reported the story of an iOS app maker intent on shaming pirates by hijacking users' Twitter accounts in order to post a message saying "How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession."
This anti-piracy campaign was certainly unique, but it backfired. Many customers who paid as much as $50 for dictionary applications for their iPhones and iPads were targeted, because the system went into place without being capable of distinguishing between pirates and non-pirates.
We've exchanged a few e-mails with Enfour, the company in question, to find out how the anti-piracy system was supposed to work, and whether the company plans to try again. In short, Enfour blamed the problem on "old code" that has now been taken out of the apps and thrown in the trash. But Enfour isn't done—it's busy working on a new and better way of targeting pirates.
Your app's anti-piracy module, it's not working
"There was old code from a previous version of the module that was timed to activate on November 1," Enfour VP of Communications Tracey Northcott told Ars via e-mail. "This didn't affect everybody. It only affected people who let the app go to 'sleep' while using it on November 1. If the user shut down the app after using it, then there would be no issue. If a person didn't use the app between October 31 and updated on or after November 2, then they would not have been affected at all. There are still some people who have this issue as they haven't yet updated their apps."
Northcott declined to say exactly how Enfour was trying to identify pirates, saying, "I am going to be suitably vague on our exact method for proprietary reasons." But another iOS app developer, Chris Cieslak, told us there are several ways of going about it.
"There's a few ways I've seen in the past," Cieslak said. One method is to simply check if the phone is jailbroken by seeing if it contains files only present on jailbroken devices (like the Cydia app store), but this is far too likely to bring up false positives because jailbreakers aren't automatically pirates.
Cieslak continued:
Another way to find out if the app's been cracked is to see if the actual executable code in the app's bundle is still encrypted by Apple's FairPlay DRM. This could present a false positive/negative issue in production, since only public iTunes Store builds are encrypted. It's impossible to test fully in developer or beta ad-hoc builds, which are not encrypted.
The other way I've seen is to inspect the app's App Store metadata. There's a file called iTunesMetadata.plist, added to the app bundle by Apple when one uploads an app to the store, which contains identifying information of the app's original buyer, along with version info, icon info, and other store-specific stuff. This is stripped out by many crackers, so the app could simply see if it exists and assume it's pirated if it's not there.
This could cause a false positive if Apple renames this file, changes its format, or removes the file entirely. It's not part of any public spec.
Now, any check in code could always be bypassed through the normal means like on any other computer: dumping classes, disassembly, etc. Which makes these techniques even more useless, in my opinion.
Finally, anti-piracy code is just like any other code: it's going to have bugs. Except, in this case, they're bugs that really get your users mad. Not worth it at all, at least in my opinion.
Enfour may have a completely different, more advanced method, based on what Northcott told us. "We do not discriminate against jailbroken phones, as we know there are plenty of legitimate customers who have jailbroken phones," Northcott said. "The checks are much more complicated than this. Our method involves coding to below the standard objective C level. Just to give you some more background, we have been coding to this level since the Apple Newton days. This is the first accident of this sort we have ever been involved with."
According to an apology letter Enfour wrote to customers, the anti-piracy module worked like this: "Upon waking, a dialog box showed 'Run in Safe Mode,' then the app disabled itself and performed an auto soft close. A notification appeared locally on the device and if the user had authorized the app to access their Twitter account, a tweet of the notification was sent out under their account with a hash tag #softwarepiracyconfession. This tweet only happened if the user tapped a send confirmation button."
Northcott said fewer than 0.3 percent of users tweeted out piracy confessions during the first 24 hours in which the faulty code was deployed, "and at least half of those were really pirated copies." But the problem extended well beyond those 24 hours. More than two weeks later, the tweets are still coming in dozens of times a day. Enfour says it asked Twitter "for a mass pulldown of these tweets," but Twitter refused.
The pirate confession tweets go back to before November 1, Northcott said, but those earlier tweets were only from customers who actually pirated the apps. The false confessions didn't go out until that "old code" set on a timer had been activated.
"Our apps have had varying forms of anti-piracy measures included over the last few years," she said. "We have tried different methods, tweaked them and changed them completely. The iOS platform is constantly changing and also the way that the crackers pirate the apps changes constantly as well. It is an ongoing tug of war. We are not the only developer that has modules built in. There are probably others who have had some false alarms too, but these may not have been reported by the press."
Enfour plans to bring back its anti-piracy system, but it did not say when it will reappear or if it will work in the same way. "We have had emergency meetings and we have completely revised the anti-piracy policy," Northcott said. "For the updates we just pulled it all out in the interest of timing. Soon we will have a new iteration of our engine that has downloadable components. This allows more control over the components and so we will not have to use the same sort of module that malfunctioned two weeks ago."
Enfour is scrapping the old code entirely, starting from a "blank file," to make sure it never targets legitimate customers again.
Fightin' pirates
Enfour's fight against pirates isn't over, because the company thinks it's one well worth fighting. "We do a clean-up of pirated apps every week, serving DMCA notices where we can," Northcott said. "This is a lot of work and especially hard because we need to do so in a number of languages. But they keep popping back up. It is usually only the well-known (and more expensive) titles that continue to be distributed online."
Enfour says it has found more than 3 million instances of pirated copies of its apps, including cases where the people who cracked them were charging money for the ripped-off copies. "We have seen days when certain titles have had 2000 new users but we have sold only 20," she said.
Northcott sees a race to the bottom in Apple's App Store, with rankings based on the number of downloads favoring apps that are free or cost just 99¢.
"This is not a sustainable model for any but a handful of games," she said. "Developers are not rewarded for developing quality products that can command a decent price. We are relegated to pumping out the equivalent of '80s shareware. At this rate a hollowing out of the market will occur—with only hobbyists and large production houses being left in the game."
Dictionary apps can cost anywhere from $20 to $50 because they have real value, are larger and more complex than most apps, and contain content "that takes hundreds of man-years to compile," she said. "What cost hundreds of dollars as a desktop application delivered on a DVD a few years ago is now available for 100th of that as a smartphone app."
Many people are willing to pay the money. But there is enough piracy that finding some way to discourage people from downloading ripped-off copies is a worthy goal, in principle. Three years ago, we reported on an iPhone app developer who found a way to turn cracked versions of apps into demos. The developer's anti-piracy measure involved having apps "phone home" to a server, which could detect whether it was cracked.
Enfour went much further—and its story shows that targeting pirates on a large-scale basis takes immense effort and is fraught with risk.
reader comments
70