Blackberry PlayBook Application Copy Protection

    In this article I will show that there is practically no protection as such at the moment. That is, if you are developing an application, you should understand that almost all of your know how can be disclosed without any special tricks. I will demonstrate this with an example, take my own application and try to get its sources.

    I’ll clarify right away. I am not a hacker or security specialist. I am a mathematician by education. I came to programming self-taught, so perhaps my language will seem amateurish to someone. My goal is to point out the vulnerability and make me think about it. How useful this information is for you to judge.

    So, some time ago I came across one article , which featured information about what can be directly installed on the device bar 1files, bypassing the store. Actually, this is not news, bar files can be installed much easier, but I was not confused by the awkward java application, but the fact that it was accompanied by 20+ bar files, among which was Angry Birds, which was not officially released for the PlayBook. I wondered where they could come from.

    Since I have not heard about root access to the device yet, and all file managers have limited access, I came to the conclusion that bar files were intercepted along the way, and decided to check my assumption.

    I look at wikipedia sniffer . I take the first one mentioned, this is a free WireShark .
    It was installed without problems, everything is intuitive, I open the desired network adapter. I launch PlayBook, in the sniffer I set the filter on the ip of the PlayBook. I see several entries, but the sniffer does not respond to viewing web pages on the device. As Wikipedia teaches us, this is because I have a switch, not a hub.

    Ok, install 3proxy . I specify the redirection of logging to the console, the internal interface (IP of the dextop), the external interface (everything, 0.0.0.0), port 3128.
    To do this, run the proxy command:
    proxy -l -i192.168.1.34 -e0.0.0.0 -p3128
    It would be possible to create a configuration file, but it’s faster.

    On the PlayBook in the connection settings, I specify this proxy (192.168.1.34), connect, I see that the logs have gone. In the sniffer, I change the filter to ip, by which I listen to the proxy and specify only the http protocol.
    The filter looks like this:
    ip.addr == 192.168.1.34 && http

    On the PlayBook, I’m moving to App World, I’m looking for my PlayIrc application. This is an IRC client with a normal Russian keyboard and encoding support. Install the demo version, disable the capture in the sniffer.

    In the sniffer I see:
    GET http:// appworld.blackberry.com/ClientAPI/file/
    and then a certain file number. Right-click on the record, select Follow TCP Stream, in the window that appears, click Save as and specify the name PlayIrc_cracked.bar.

    You can first make sure that this is really a zip archive by changing the extension to zip and opening it with the archiver. Inside, I see two folders:
    air - here lies the SWF application itself and
    META-INF resources - here are manifests, information about the digital signature and more.

    Deploy the bar file to the simulator and to the PlayBook. And there and there it is installed and working without problems.

    What can an attacker do next?

    Option 1. A stupid hacker, that is, a hacker is not a programmer. He can create his own site, put the intercepted bar files together with the installer. There was a paid program, but it became free. In fairness, it should be noted that, perhaps, the bar file stores information about who this file was intended for. Since I downloaded it, the check on the device was successful. In the simulator, this check, if any, is most likely disabled. For the purity of the experiment, it would be nice to try installing the bar file on another PlayBook, but I don’t have this option. So perhaps the stupid hacker option is not so simple. However, this does not affect the next option.
    Option 2. Hacker programmer. Everything is the same, but before that, take the swf decompiler, get the full sources, disable the demo restrictions, or just steal the code. There was a demo, it became the full version.

    Let's see how difficult the second path is. I am looking for google SWF Decompiller, I install the trial version of Sothink SWF Decompiller, open PlayIrc swf. He swears that he did not find the flash.filesystem.file class, it doesn’t matter. I see the whole structure of classes, all packages and resources. Since I gave the classes and packages understandable names and made every effort to make the code easy to modify and debug, I easily (not because I am the author and know where to look, but really without difficulty) find a class showing advertising banner. Finding a limit on the number of open channels is somewhat more difficult, but this is also done without problems. The modified source can be rewritten by yourself, replace the logos and put back on sale or put into the public in the form of a bar file.

    All this is very depressing.
    I suppose RIM should somehow protect the data transfer.
    Until this happens, I see no other way but to obfuscate the code.

    Of course, you can add constant online control, send dynamically changing keys, but it seems to me that it will not be very difficult to parse the necessary code fragment and eliminate the check.

    Footnotes:
    1. Bar files. Bar files for the BlackBerry PlayBook are the same as jar files for Java, that is, just zip archives that contain compiled classes, resources, manifests, in general, everything you need to run the application.


    This is my first post on Habré, I hope I did not break any rules and my information is not too banal.

    Upd.
    To summarize.

    Hacks have been and always will be. Like most of our lives, hacking begins at the moment when it becomes profitable, that is, from the point of view of time and money, it is more profitable to hack than to buy or use an analog.

    This article is not intended to indicate new hacking methods or technologies. On the contrary, all the information that is indicated in it is known to any advanced user and has been discussed many times.
    In addition, this article does not intend to cover all methods of illegal copying of information, it shows the presence of one, but very simple.

    The essence of the article is precisely that RIM created the conditions under which the “cost” of hacking is extremely low, and this should be taken into account during development. The situation could be changed if the communication between the device and the store was encrypted.

    Also popular now: