Hi all,
Google Play’s IAB v3 has prevented apps like “Freedom” to get free IAB. However, now I’m seeing lots of my IOS players getting all the free goodies via the use of Cydia and such on rooted devices.
Does anyone know how to prevent this? I only allow IOS 6 players but that doesn’t help.
If you are already using Receipt Validation, then there isn’t much you can do
https://developer.apple.com/library/ios/#releasenotes/StoreKit/IAP_ReceiptValidation/
since iOS doesn’t allow runtime code generation, you really cannot do any protection method that wouldn’t be easy to crack/hack.
Are you sure about that, Agent_007?
What about:
a) Checking whether the device is rooted/jailbroken and closing the app if so…
b) Require internet connection to play, and use a secure database connection (that cannot be corrupted by MITM proxy) to check validity…
I plan on doing a whole bunch of security stuff in my game, to guard against both IAP abuse and high-score table abuse:
Otherwise, I can just think of way too many ways to corrupt the game, cheat, pirate, etc. But if I do all of the above… shouldn’t that work?
“Must have internet access” is pretty much an auto-delete for me. If Internet access was just required for the purchase that’s fine.
Receipt validation worked to deter most cheaters. But I guess as long as someone is able to change the code there’s nothing we can do no matter what right…
So is there a "Unity building: version of that page? I don’t know much about how to use xCode…I use Prime31 Store Kit plugin. How do I get Receipt validation?
Using ‘jailbroke → does not work’ is a great way to get 1 star ratings in masses.
So in this case it would be simpler if you just stopped working on your title right away and spend the time and money on something else, if you intend to just flush the money down the toilet 
You need to realize that Jailbroken != pirate. Some have jailbroken their device cause Apple forces them to do so (downgrade device, break carrier lock, get a more modern iOS with features even iOS7 is dreaming of, …) and all these paying, good customers are punished in your hope to get a few pirates.
Ask the Deus Ex developers about the concept of ‘draconian jailbroke device handling concepts’, they had to crawl back for their plain stupid idea within less than 3 days due to the shit storm and PR crashing down on them.
Using receipt validation is surely one step, the other step is to not make it a paid app right from the start but use IAP for unlock fullgame / time savers / extra content or an optimal ad solution for your product (you can make quite some money purely on ads, for many games actually much more than they will ever make from sales due to the flooded markets). That will get you more exposure and likely more money and will reduce the piracy problem.
Ah, but my app is not going to be a paid app, it will be free…
AND I would put right in the description that you must:
a) Use iOS 6+ (otherwise, in-app purchases can be cheated from what I understand, and since my business model RELIES on that, it’s a moot point to allow other people to hack it)
b) Not be jailbroken
So, anybody who would give 1 star reviews for something that explicitly states up-front the terms and conditions, and for which they have to pay NOTHING to play, is probably a childish pirate in the first place and I don’t want my game in their hands…
Yes, people like to complain about anti-piracy on all sorts of games (DRM on EA, for example); most of the people are complaining because they couldn’t steal something and have it for free [sometimes it is truly warranted, like when your computer crashes or you want to upgrade but your license is “locked up”… but mostly it’s just people who want to have something for nothing…]
Only about 11% of devices (both iOS and Android combined) are jail-broken/rooted [source: 404 not found | Codeproof ]. I’m not concerned about losing that potential 11% of customers (of which, probably more than 50% use the jailbreaking/rooting for illicit things like memory hacking and piracy…, so we’re talking about losing, what, 5% of a legitimate potential customer base?)
Do a search on these forums for a guy who made a non-protected game and ended up seeing 66,000 names on his high score table when only 2500 had paid for the content to be able to get their names on there… this means even if only 10% of those 66k had played by the rules, his income from the game would have nearly QUADRUPLED…
I guess you’ve never played highly-rated and highly-popular games like Tiny Tower, then (requires Internet to play; currently has 370,000 reviews and a 4.5 star rating)
I’m not sure we need to mention jailbroken devices in the first place. My friend here told me owners of jailbroken devices can’t download from the App Store and have to go to a different place to get things…is that true?
Not true. Appstore has always worked with jailbreaked devices. I personally have always used my iPhones jailbreaked since 3G and it never has been about pirating (for me) but usability enchantments and theming. First iOS versions were so feature crippled that you almost had to jailbreak or switch back to other phones. It took Apple several years to finally add toggles to iOS7 as example 
I have seen few apps in appstore that warn about using it on jailbreaked device (not working at all or might have unexpected behavior) but never had crashes or etc. and for the jailbreak blocks, there are tweaks that block apps detecting jailbreaked devices by using common methods. Making your own detection might get your app rejected depending how you do it.
If by “tweaks” you mean “hacks/cracks”, then yes I am aware of those. (the fact of the matter is that nothing is un-hackable/crackable. That’s just the sobering truth.) … for example, you can class-dump-z the headers and then hook any functions which appear to be checking for jailbroken device (several methods, but one is to attempt a file open of /bin/bash)
HOWEVER, I am not aware of any way to do it outside of creating a cracked version of the app (which requires extra work, but it can – and will – be done, especially if the game gets any popularity…)
That is why I also propose signature checking and internet-based accesses… including receipt validation, but you can also serve certain data directly from DB instead of in local vars… and if you don’t, your only real options are: (a) Player Prefs, which will be abused (very easy to just go in and change the values); (b) in-game vars, which are easy to manipulate/cheat through memory hacking; (c) Secured Player Prefs, which I haven’t tried out but I’ve heard it’s good… I’m still investigating the details about how that one works and whether it would truly be a secure solution (mostly that you could use it to thwart memhacking)
PS. You may not have jailbroken your phone for illicit purposes, but every single person I know who has a jailbroken phone has downloaded at least one pirated app onto it… you would be a small minority. I think it’s very telling that China (one of the illegal hacking epicenters of the world) has a 30% jailbroken rate while in USA it is only 5-6% of devices…
I am still debating on the best route to go regarding this area, but I will for certain be doing server-checks and database-driven content delivery in the game…
EDIT - P.P.S.: Here’s a whole thread about people discussing apps that specifically check (and prevent use on) jailbroken devices (and people talking about using xCon to get around it – but it looks like there are, in fact, several apps that take this route, including big names like DirectTV, Redbox, etc.) Apps won't work with Jailbreak? | MacRumors Forums
I am not sure if you can use the AppStore or not (I’ve never used a jailbroken iOS, but have used rooted Android – in which case, yes, you can certainly use Google store even when rooted…), but the point of the matter is that if they “have to go to a different place” (biggest probably being Cydia), what they are going to do is find a cracked version of your app and play it with you getting zero money, if they are able to: (a) not pay for download; (b) memhack it; (c) bypass IAP
So I would want my app to be able to prevent most of those things EVEN IF it were cracked (this is also one of many reasons why I plan on using the free-to-download, funded-by-IAP model; if you just charge for the game but no IAP or ads, then you will not only get fewer paid downloads, but people can have the full game access for free just by using a pirated copy on a jailbroken device…)
I joined this discussion because a friend of mine mentioned I should upload the normal free version of our game to Cydia or other jailbroken phone accessible site. It sounds like that’s not necessary or a bad idea.
No I didn’t mean app specific cracks or such but system wide solutions like this: http://theiphonewiki.com/wiki/XCon
Yeah I know majority of jailbreakers do pirate at least something which has lead to the fact that many people automatically think jailbreaker == pirate while it was mostly customization, operator unlocks and avoiding other artificial blocks (3g download limits, no wifi share etc) at the beginning.
Receipt validation and/or having server based game is probably the best solutions at the moment. Also its worth evaluating how much time should you use to do all these kinda anti-piracy things and what is the real effect in sales. Good idea is to go visit these sites where people chat about pirating and what apps they cant bypass and maybe check them out. Many do this and can also be seen that many projects turned in to private and closed source.
I’m actually more concerned about cheats than about piracy, because I want to run a high score contest for my game and I can’t do that if people are cheating and/or hacking the high score boards…
I just had a thought for how to combat the memory-hacking issue without using internet or secured prefs file-reads…
When I see videos about how the kids these days are cheat-hacking their apps, it looks like they are typing in a value presented to them on the screen (say, “lives”, or “score” or “money”), and then this brings up memory segments storing that number, and then they change the number, and it filters the list down to numbers that changed from the first number to the second number.
Wouldn’t a fairly easy way to prevent this be to not ACTUALLY show the variable being stored on the screen? You could either have a built-in modifier “salt” modifier that you perform operations with, or – even better – you could randomize one at runtime, and simply use that to display the score?
var saltNum : float = Random.range(0.01, 1000.0);
function BoostScore(newPoints) {
score += newPoints * saltNum;
}
function Update() {
scoreText = (score / saltNum).ToString();
}
of course, the random operator would be hidden from user at all times, so I haven’t seen any cheat-hacking tools that would allow a user to modify the score without having knowledge of the actual number being stored in that var… right?
I’m going to try it and see if my theory works… (I am really going to try to hack the crap out of my game and exploit it in every way possible, but especially mem-hacking and MITM proxy)
Yeah, that is what I was thinking the other day almost exactly. Don’t represent the value or even the name of what it pertains to in your save files.
Wrong. We can find any value based on what have just changed even if not displayed on screen.
Cheaters can, for example, find their score simply looking at how much points they’ve earned now and then searching for what have changed by that same amount of points and there they find the real score.
The code you wrote there won’t work.
I built a tool to prevent these memory hacks by creating unreadable values to store in memory instead of storing real numbers. That pretty much work.
According to what you are saying here, my code WOULD work, because the change in your displayed/perceived score != the change in the actual stored score.
Example: if saltKey is 11.2, and you collect a coin in your game that gives you 100 pts, you would do a mem search for something that changed by 100 pts, right?
But when you collect that coin, you SEE “100 pts” on the screen, but what actually gets stored is: score += 100 * 11.2;
So your score didn’t actually change by 100 pts (which is what you THINK it did); the actual value changed by 1120. There’s no way for you to guess that number of change, because the only thing you know is that your score started at 0 and now “changed” by 100… but really what happened is you got 1120 pts, and the Display script showed you: score = 1120 / saltKey(ie. 11.2)