By far coolest aspect of Adobe InMarket is its shockingly simple licensing API. The integration process is as simple as downloading the licensing.swc and adding five lines of code into your application.
Here is an example from the InMarket documentation:
package {
import com.adobe.licensing.LicenseManager;
import flash.display.MovieClip;
public class SimpleFlash extends MovieClip {
private static const MY_APPLICATION_KEY:String = "617c1d1f-e283-4ab6-be1f-55ce7f926a3f";
private static var DEBUG_MODE:Boolean = false;
private static var UPDATE_MODE:Boolean = true;
public function SimpleFlash() {
var licenseManager:LicenseManager = new LicenseManager();
licenseManager.checkLicense( this, MY_APPLICATION_KEY, UPDATE_MODE, DEBUG_MODE );
}
}
}
When your end-users run the application, they will be greeted with a nice looking dialog giving them the options to try the application for free or buy a full license.
As a developer, I am very impressed by the simplicity (and affordability) of Adobe's solution. The remaining question is whether Adobe InMarket is secure or not. I would like to stress that Adobe InMarket is NOT designed to be an intellectual property protection scheme, i.e., it does nothing to prevent attackers from decompiling your AIR applications and stealing your codes. Therefore, in this exercise, we are only interested in seeing if the InMarket licensing system can prevent an attacker from accessing the full application without purchasing a license.
The first step is to obtain an API Key and to download the licensing.swc library from the InMarket Portal. Next follow the above sample code to create a new Adobe AIR application. Finally, you will need to upload the .air package to the InMarket Portal This last step may be a bit confusing. Apparently, you will need to upload an application containing your API Key at least once before the key becomes active. Otherwise, you will keep getting an error message when you try to run your application from Flash Builder. Your initial upload can be as simple as those few lines of sample code, and you do NOT have to upload again until your application is finally completed.
Now that we have our test application, let's start the clock and see how long it will take for us to break the licensing system.
The obvious approach is to first decompile the SWF file using your favorite decompiler. That was easy as there seems to be no encryption or obfuscation at all. After browsing through the code, one class caught my eyes -
ActivationResponse. This class is used to contain the licensing information retrieved from the servers, and the property type represents whether the customer has a "full" or "trial" version of the application.So what if we change the getter function of
type so that it always return the value "full"?
Of course, it is not THAT simple. If you look carefully, you will notice that the
ActivationResponse class contains another property signature, which we can safely assume is the keyed-hash value of the entire ActivationResponse message. The LicenseManager uses this value to verify the authenticity of the ActivationResponse message to ensure that it has not been tampered with.So how can we break this? It's actually fairly easy once we've found the
RSASignature class. All we have to do is to force the class to return the value "true" all the time. Like so:
Finally, we run the modified SWF and voilĂ , you are no longer greeted with the popup dialog and the application behaves as if you have purchased the full version license.
The entire process took about an hour, but we can easily build an automated tool to break any InMarket-integrated applications in seconds now that we have identified this flaw. If you read the entire licensing.swc library carefully, you will notice some rather ingenious tamper detection and user identification algorithms. It seems that the engineers at Adobe have indeed put some thoughts into this. It's a shame that all of these protection schemes can be easily bypassed by two simple modifications.
Here is the bottom line: Adobe InMarket is an interesting concept. It has the cleanest and simplest API I have ever seen. Some developers may find it useful for managing their free or ad-supported apps; it does offer some values as a distributing, marketing, and tracking platform. At its current state, however, it fails to provide enough protection for your paid applications.
P.S.
Editing SWF bytecodes by hand can be quite tedious. That's why I have created a nice little utility for parsing and modifying SWF bytecodes. The tool is still very rough at its current form. Once I have polished it a bit, I will release it here. For now, here is a sneak peek:
No comments:
Post a Comment