Mac App Store, what DRM exists and how to authenticate purchases? - macos

I have an app on the Mac App Store.
To meet the store requirements I had to remove my own serial code requirement at startup and then use apples purchase mechanism.
This raises some issues.
I have no way of knowing if a user has paid or not.
The /MASReciept/receipt data appears to only guarantee that the original purchase was genuine.
So whats stopping someone simply copying the .app to another mac?
I tried this and it worked.
As I am in a sandbox and can not see the actual mac how can I differentiate between the purchase mac and the mac the app is used on?
I am actually happy for the user to install on many macs that are using the same itunes account or part of family sharing.

You can validate the receipt either locally or through the App Store.
See the Receipt Validation Programming Guide
This is basically just a deterrent like most any other protection; a clever person can generally pirate an app at will, and there's not a whole lot you can honestly do. I would recommend focusing on making your app better — if it's worth buying then usually people are willing to pay for it.

Related

Code signing MacOS application without Apple Developer Account

I just finished developing a macOS application. I compressed my application and gave the zip to my friend. Then he said that it is from unknown developer. I don’t want that to show. So I found out that you have to pay 99$ for distrubution. I don’t want to pay any money. I dont know how to do that. Can you please help me with that
I just finished developing a macOS application. I compressed my application and gave the zip to my friend. Then he said that it is from unknown developer.
That's Gatekeeper. The whole point of Gatekeeper is to provide a level of assurance that your app isn't malicious, and that assurance comes from Apple.
So I found out that you have to pay 99$ for distrubution.
You can distribute your app yourself, but in order to avoid the Gatekeeper warning you have to sign the app with a key that matches a certificate issued by Apple, and you have to have the app notarized by Apple. You're not paying for distribution, but you are paying for membership in Apple's developer program, which enables you to create certificates etc.
I don’t want to pay any money. I dont know how to do that.
I don't know how to do it either, and as doing it would pretty much defeat the point of Gatekeeper and undermine Apple's efforts to protect its platform from malware, it's probably not realistically possible.

Do I need to protect my desktop app if distributed over AppStore?

I have made a simple desktop app that I want to sell through the AppStore. Of course I want to be protected against piracy. Does AppStore give any protection? How does that process work?
For instance, what prevents a dishonest person from buying my app and then upload it on a torrent and share it with others. If these other people download my app, will they automatically be asked for their identity check (Apple ID and password), the first time they try to use my app, thus preventing them from using it if they have not bought it legally.
If this identity check does not happen automatically, then do I need to add some code in my app that will ask for the identity check. If so, where can I find info about how to do that?
I'm not entirely sure how this process works. Could somebody shed some light on it?
Mac App Store slips a receipt each time it is downloaded into the bundle. The receipt contains information about the computer used (the so called GUID) and the user logged into the App Store.
See here how you should validate the receipt:
https://developer.apple.com/library/mac/releasenotes/General/ValidateAppStoreReceipt/Introduction.html#//apple_ref/doc/uid/TP40010573
If you implement the GUID validation as described in the document, the app will not run on any other computer.
Also check the signature of your code to make sure it has not been tampered:
Verifying app's signature by code
Your application, when downloaded from the App Store, contains a receipt. The receipt contains proof that it was downloaded onto this computer from the App Store, and the ID of the application. There are instructions somewhere on Apple's website that tell you how to verify the receipt and what to do if the verification fails.
That said, you are much better off concentrating on writing an app that people actually want to buy. People who pirate your app wouldn't hand over money if it couldn't be pirated. They would do without it, pick some free app, or pick a different app that they can pirate.
And I'm quite sure that any copy protection you build into your app yourself will get it rejected from the App Store.
Even though the answers I've got were helpful, they didn't quite provide the answer I needed. Looking around I found a software called Receigen from Laurent Etiemble, and the FAQ on his site (http://receigen.etiemble.com/faq.html) gave many answers for what I was looking for. For instance
What is an App Store receipt validation ? Why is it needed ?
Basically, an App Store receipt is what an application must check to ensure that the copy is genuine and can be run.
What happens if I don't check the App Store receipt ?
Well, anybody with a copy of your application can run it, with or without proper authorization.
Is the code receipt validation easy to write?
No because it requires deep understanding of cryptography and secure coding techniques.
It didn't hurt either that Receigen generated code that freed me from dealing with receipt validation code. Receigen takes care of this part so I can focus on what is really important for me: my application.
Yes, it costs money but personally I am more than glad to pay it, because I find this part of the development tedious, boring and complex.
TPInAppReceipt is a great package for this.
I was able to easily add local receipt validation after trying many others solutions less successfully:
https://github.com/tikhop/TPInAppReceipt

Mac app - check App Store receipt

Many of the possible duplicates seem to address methods of updating apps both normally and via App Store.
This one mentions a few working solutions:
Mac App Store Receipt Validation Code?
for programmers like me who want to not reinvent the wheel from the Apple Docs:
https://developer.apple.com/library/mac/#releasenotes/General/ValidateAppStoreReceipt/_index.html
My problem is that I'm having a hard time finding finished "libraries" that work.
I would simply like to know if anyone has had success with any of these open-source projects and whether any of them are particularly easy to use.

Is the mac app store required?

If I make an application for Mac OS X am I required to put it on the Mac app store or can I distribute it, on my website, for free?
And what about Windows?
Thanks
No there is no such requirement you are free to distribute your program however you want.
You may wish to use the App store as a method of distribution, but to do that you have to conform to various apple requirements.
I'm not sure what the equivalent would be for Windows, but again, there is no such requirement. Think of the millions of independent apps that have no affiliation to any centralized store, I would say the majority still fall in this category.
2018 Update - With increasing security concerns, and a desire to replicate the success of the iOS App Store, Apple have been making it harder and harder to run apps from outside the store. You can get digital certificates, and become a trusted developer, but it’s clear the future is the AppStore or broke if you want users to be able to easily run your app. Note that it remains, and likely always will, very possible to install and run any unauthorised app with a simple trip to settings, it’s just that’s clearly a big deterrent for many users, as it should be.
You dont have to distribute it over the Mac App Store right now but that might change with the next OS X, make sure to check this out: https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
you can distribute it however you'd like. It does not need to be in the Mac App store. Same thing for Windows.

Check if Mac App was taken from Mac App Store with Cocoa

I'm trying to give a license to all the users who have bought my app from Mac App Store in order to give them faster updates.
What i was thinking is to do an update for the Mac App Store version of the app that will let user register from within the application itself. But i'm having problems figuring out how to test if the application was really taken from Mac App Store and not from a pirated source.
Is there a way to test if the user bought the app from AppStore. Apple does not release this info - as if it would - i could just test if that user email is in the list of people who downloaded the app from AppStore.
Thank you in advance for the help,
Bogdan Vladu
You could have the MAS version of your application copy the Apple-issued receipt to the Application Support folder.
The independent version could look there for a valid receipt. If there is, it will behave like the fully licensed version. If there is not, it would go to demo mode.
If you're making enough money from this app to pay money for DRM and obsfucation, go for it. It might slow down the pirates enough for it to be a profit for you.
Otherwise, you're pitting your own time and skill against everyone who's interested in pirating your app. It's a losing battle, unless your app is really unpopular, in which case you've lost again.
In short, there's no algorithmic way of making sure. Code obsfucation is the way to go, and hope that the pirates don't find the "check-for-tampering" module.

Resources