Hi, is this still the recommended way to integrate a validation? Or are the information and the recommended tools and downloads outdated?
Regards, Matthias > Am 30.05.2012 um 20:50 schrieb Guglielmo Braguglia <guglie...@braguglia.ch > <mailto:guglie...@braguglia.ch>>: > > Dear members of this list, > > all of you, with your posts, your information and your suggestions, have > helped me a lot of times so, this time, I would like to freely share > something that, I hope, useful for all member involved in development of OSX > application with LiveCode and interested in publishing their App in Mac Apple > Store ... > > ... a Livecode OSX External to validate the MAS Receipt. > > As you probably already know, a user can download from the MAS the purchased > App on 5 different devices, but ... if inside your App you don't validate the > "MAS Receipt", ANY user can make a copy and distribute your App without any > control ! > > Unfortunately, the code to validate the MAS Receipt, can't be still the same > because, otherwise, it will be too easy for crackers to discover the weak > point and to patch the code once and for all. For this reason I think, Apple > has not provided a fixed 'call' to use, but has provided some guidelines : > > > https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html > > <https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html> > > As you can see, to write a good MAS Receipt Validation code, is not so > simple, but for this, fortunately, there is on the App Store, a very good > program, called Receigen. > Each time you run, Receigen generates a complex C "MAS Receipt Validation" > source code, where the constants and the strings are re-obfuscated, the > checks are performed differently, and the code flow changes, so … each time a > different, unique code ! (more info on : > http://receigen.etiemble.com/index.php > <http://receigen.etiemble.com/index.php>) > > So, starting from this, I developed a very simple External for LiveCode, to > call the validation process from inside our applications. :-) > > You can download the following items from my web server : > > - All you need to build YOUR validation External : > http://www.phoenixsea.ch/downloads/phxMASValidate.zip > <http://www.phoenixsea.ch/downloads/phxMASValidate.zip> > > - A simple test program that shows how to dynamically load and how to > call the External : > http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip > <http://www.phoenixsea.ch/downloads/phxMASValidate_TestProgram.zip> > > - An 8 minutes video showing "How To Do" : > http://www.phoenixsea.ch/downloads/phxMASValidate.mov > <http://www.phoenixsea.ch/downloads/phxMASValidate.mov> > ... about this video ... I know that probably the slides go too quickly, > but you can still use the pause/resume button to stop and resume the video. > > Now, to briefly explain "How to do" ... > > 1. with Receigen.app generate your MAS Receipt Validation C code (DON'T > FORGET to flag the "Perform only receipt checks" on Advanced Settings) and > save in a file named receigen.h > > 2. go inside phxMASValidate folder and replace the file : > phxMASValidate/phxvalidate/src/receigen.h with your just generated > > 3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open the > project phxvalidate.xcodeproj > > 4. to avoid problems, first do a "Clean" so ... from the menu bar, select > Product -> Clean > > 5. verify that the 'Release' build is selected, so ... from the menu bar, > select Product -> Edit Scheme and verify that the Build Configuration is on > Release > > 6. still to avoid problems, put YOUR bundle identifier for this external, so > ... click on the left pane, on the first item (the project name, with blue > small icon) and in the central pane, on the Info TAB, the first row is > 'Bundle Identifier' ... change it (e.g. com.yourname.phxvalidate) > > 7. build the external, so ... from the menu bar, select Product -> Build ... > XCode must say : 'Build Succeeded' > > 8. you can close XCode ... your external is ready ! You will find it in : > phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle > > 9. Include this external into your livecode app and, on the preOpenStack (... > but I suggest to call also in different points of the code to make harder the > work to crackers) and call : > > put phxValidateMAS(the filename of this stack) into tRetCode > > where the phxValidateMas is the name of the C call that you find into my > source code; the parameter is the Path to the REAL executable that you find > inside your Mac .app and tRetCode is the return code (... 0 if all is OK). > > That's all ... > > Important note : > fortunately/unfortunately, LiveCode is not a real common language so, as far > as I know, there are not LiveCode decompilers and it's not so easy to debug a > livecode application. The weakness is exactly the external, which is a real > OSX executable easy to debug and to replace. > About debugging ... Receigen creates a quite complex code to debug, but ... > anybody can easily replace the bundle with another one with just 'return 0' > as return value for my validation call. > To avoid this, you MUST find a way to validate the external BEFORE using it. > I have spoken with the author of Receigen and, after having explained the > situation, he also suggested to protect the External with different checking. > > So, in my programs, I obfuscate the following values : > > - the MD5 of the External CODE (the real one that you find INSIDE the > External bundle) > - the SHA1 > - the size in bytes > > ... and I will check the values each time, before calling the External ! > Quite difficult to work around ... > > If you need, don't hesitate to contact me. > > Guglielmo > > _______________________________________________ > livecode-dev mailing list > livecode-...@lists.runrev.com <mailto:livecode-...@lists.runrev.com> > http://lists.runrev.com/mailman/listinfo/livecode-dev _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
