4

I'm creating a .framework (or a static library) for a component that I developed and that I'd like to sell to third-parties.

I was planning to add some code to protect the framework from unauthorised re-use, re-distribution or re-sale.

I think a good way to achieve this would be to ask to the purchaser to tell me what is the bundle ID of the app that will use the framework, save it in the framework as an NSString property and create a method that checks at runtime if the bundle ID of the app that is using the framework match or not.

However I'd like also to make the framework available to try for free. Therefore I want to enable the bundle ID check only then the containing app is compiled in released mode, or when the app is running on the end user device, outside the development sandbox.

Of course I can't use any methods that relies on variables or macros set in the project file, because they would be too easy to exploit. I need to do it at runtime... and without any action needed by the purchaser.

Is there a way to check at runtime if an app is running in the developer sandbox or not? Or if an app has been built with the release build profile?

Thanks!

Andrea
  • 638
  • 9
  • 20
  • possible duplicate of [Detecting if iOS app is run in debugger](http://stackoverflow.com/questions/4744826/detecting-if-ios-app-is-run-in-debugger) – Black Frog Sep 13 '12 at 20:08
  • I checked it and it doesn't give a valid solution to the problem... – Andrea Sep 13 '12 at 23:39
  • @BlackFrog I found this answer: (http://stackoverflow.com/questions/3426467/how-to-determine-at-run-time-if-app-is-for-development-app-store-or-ad-hoc-dist) that might work... I'm checking it's validity. – Andrea Sep 13 '12 at 23:56

1 Answers1

1

In the past, I have implemented a simple time-bomb expiration in free to eval but not free to deploy components. The library would function up to certain date X, and then stop working. The user would just have to re-download the latest bits to continue evaluating. One paid order, a download link is provided without the the time-bomb or a license file with a digitally signed license disabled the time bomb logic all together. Relying on run-time environmental characteristics is fragile at best.

Daniel P. Bullington
  • 643
  • 5
  • 10
  • Hi Daniel, thanks for your input. However your solution doesn't stops users that obtained an "unlocked" version from reusing, reselling or redistributing your component... – Andrea Sep 13 '12 at 17:02
  • It mitigate to some extent if you leverage the signed license file concept. There is no such thing as a fool proof license scheme. Plus, leaked copies might actually beget you more sales by acting as a marketing device...like pirated MS Office/Windows does for MS. – Daniel P. Bullington Sep 13 '12 at 17:56
  • Daniel, can you please point me to some documentation or online resource that explains how to implement the signed license file concept? – Andrea Sep 13 '12 at 23:41
  • Generically, you would want to use an asymmetric signature algorithm (Digital Signature Algorithm) to generate a license file (in XML or whatever), signed with your private key. Your app/component/whatever will read in the license file that has been signed, and validate against your public key. I would also suggest putting something into the license file that identifies who you issued it to. The license file is plain text but if altered, fails the signing verification process. I have implemented this in a Windows app to tie a license key to a single machine by way of C drive volume ID. – Daniel P. Bullington Oct 04 '12 at 17:39
  • We solved the problem in a different way: we added a public property called "license" and in the framework itself we put some logic to generate an encrypted string based on the Bundle ID. If it doesn't match with the license string, the framework stops working. We included a generic license with the framework, generated from a bundle ID that we already own. Everyone can try the framework without problems, but if they want to publish the app on the App Store, they must request a license for their bundle ID. Here is the final result: https://github.com/flubbermedia/FMStickerEngine – Andrea Oct 06 '12 at 02:38