The arms race to protect apps from cracking

By

Protect apps from crackers
Protecting apps from crackers can be a daunting task for developers.
Image: MacPaw

Our new App Business section is brought to you by MacPaw, maker of proven Mac apps.

App developers put a lot of time and effort into preventing their apps from being cracked or pirated. But for every coder taking a step toward making an app more secure, there’s someone on the march to crack it. The integrity of any app is subject to an ongoing arms race.

The most popular and useful apps are the most likely to release the cracken (I’m so sorry), so finding out that a bunch of people have downloaded your app illegally can be worn as something of a badge of pride. But that’s cold comfort when you’re losing customers, so let’s take a look at a couple of the most likely app-cracking approaches developers should protect against.

App-cracking methods

Keygen

With access to the binary code, it’s possible to get under the hood of the key-generating algorithm and create an activation key that’ll unlock access to almost any app. For software users, the keygen is a popular approach because it means updates don’t invalidate an individual’s access. Plus, the app itself remains unchanged, allowing it to pass system integrity checks.

It’s also a very convenient tool for digital lock pickers, because it means they basically only need to crack the code once.

Patching application

When building a key to the front door like keygen isn’t an option, cracking an app becomes more time-consuming for the attacker but the software itself is less convenient for the user.

One method used to crack apps is writing a patch to bypass the app’s security. Writing the patch takes a lot of technical skill on its own, and it also requires a lot of work from both developers and end users. Any new version of the app means a new patch must be written. And for the user, any update might end up breaking the patch. That can mean going to some unsavory parts of the internet to get a new version. The user also has to turn off macOS Gatekeeper to allow patched apps to work without violating the code signature, and an unfriendly patch writer could always inject harmful code.

How developers can fight back against app crackers

For developers, keeping up with the ever more sophisticated techniques for breaking through their apps’ paywalls is a job unto itself.

It requires specific computational knowledge like compiling and processing instructions. But it also takes strategic thinking — the ability to put yourself in the head of a hacker.

Experience in cracking apps can also provide useful insight. You can also ask your fellow developers — or even a hacker if you know one — to help you crack your application and test for weaknesses. But even without trying to pry open your own apps, there are other steps you can take.

An obvious solution is to keep hackers guessing by frequently switching up your apps’ protection mechanisms. There are legal approaches, too, if you’re able to spot cracked versions of your app on torrent sites, forums or file exchanges. The threat of legal repercussions is a surprisingly fast way to see those links go dead.

Another less intuitive and surprisingly effective approach is to just be open about the problem. After all, who are we kidding, people would rather not pay for the things they use. So educating users and the broader software community about the benefits of paying for software — and the pitfalls of cracking — can go a long way toward securing an honest, paying user base.

MacPaw’s story

MacPaw — maker of DevMate, CleanMyMac and other popular Mac software — has some experience with the issue of cracked apps. The company’s first versions of CleanMyMac and Gemini came with a simple license-generation algorithm.

After adding analytics, they were able to see the number of cracked versions that had been opened. A shocking half of the copies of CleanMyMac Classic were cracked. This was a serious problem. So MacPaw added anti-crack protection to kill keygens on the server side and limit risk to the user side.

This wasn’t enough to stem the tide, though. With every update, large or small, the MacPaw team experimented with various new ways of protecting the company’s intellectual property.

Kevlar protects apps from cracking

Over time, MacPaw’s devs became pretty experienced in the art of anti-crack protection. They wrapped their knowledge into Kevlar, a library for licensing Mac applications. It’s a resource that can be baked into apps — as it is with DevMate, MacPaw’s app development and distribution platform, which makes Kevlar available to other developers for protecting their own products — and can be updated along with the changing tactics on the other side.

Ultimately, this is a battle in which both sides have understandable reasons for one-upping the other.

Software developers want to get paid for their hard work so they can continue to do more of it. On the other side, many users just want to avoid paying for the things they use.

We don’t need to tell you where we fall on this issue — that should be obvious. We encourage all app developers to stay vigilant, get inventive, and try incorporating DevMate into your own distribution strategy — if only to take advantage of Kevlar’s battle-hardened protections.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.