[guessmyname]

> Sounds interesting. Did you publish the source code?

Thanks, but no, I did not.

At the risk of sounding like a hypocrite, I do not want to enable other people to “steal” from these companies.

These companies surely do not care if I use their apps for me, because I am just one person among several thousand potential customers. However, if I publish the code, many of these potential customers may stop purchasing their software licenses or subscriptions, and I do not want to be responsible for their loss in revenue.

Also, I spent a lot of hours reverse engineering these apps and their corresponding APIs. I would not get anything out of publishing the code: it will not get me a better job, it will not get me clean money, it will not get me good publicity, it will do no good to anyone other than the people who want to use these apps for free without doing any work.

---

> I have no idea how something like this would be built, especially in a way that it allows checking on telemetry; would be interesting to look at it.

For the sake of learning, I will give you some hints: I originally used nginx, then I wrote my own Go program, and nowadays I use envoy proxy, but pretty much any proxy server will do the trick. Then, I created and installed my own Certificate Authority to automatically trust any self-signed certificate. Maybe you can use mkcert for that. That is the easy part. The difficult part(s), and the meat of the solution, is to reverse engineer every app to understand what and how it does things. I have used several disassemblers over the years but the one I like the most is Hopper Disassembler (https://www.hopperapp.com/). You may find API keys, public SSL certificates, JSON field names, form field names, etc. and you simply need to put the pieces together to re-implement the API endpoint(s) that the app expects to use.

Sometimes it is very easy, sometimes it is very difficult. You will learn a lot for sure.

[jamil7]

> At the risk of sounding like a hypocrite, I do not want to enable other people to “steal” from these companies.

I can almost guarantee if you know about this others do too and will potentially sell or exploit it. I'd try reporting it again. Publishing it might ultimately get them to fix it, but is kind of the nuclear option.

[roel_v]

"Everybody" (i.e., everybody who thinks about this for 20 seconds) knows about this. Licensing is a matter of throwing up enough roadblocks to prevent the majority of users from easily bypassing your checks. There is no way to stop a determined attacker. That effort is likely better spend on developing new features.

I wrote several 'licensing systems' over the years. It's a honey trap for developers - it's so easy to overthink it and spend months on 'hardening' your licensing, to the point where you have to check the generated assembly to see if your compiler doesn't do something clever where now all of a sudden 'cracking' your software turns into replacing a single JNZ instruction with a JMP. If you really 'need' protection against this, you use a 3rd party product which essentially converts your program into something that runs on their proprietary virtual machine.

But if you do online license checking - how do you even 'fix' this? It's trivial to MITM all requests. So now you have to obfuscate your API calls, put in extra layers of crypto, hide your private keys for that will enough in your machine code, ... All of which will be cracked by someone halfway experienced in a matter of days. I think it's most likely the companies the GP reported this to just decided it's best to not bother until they have actual proof that this is a wide enough spread problem for them to make it worth putting in significant dev resources (because it does require significant resources).

[nicolas_t]

One thing I'd find very interesting is if you report somewhere any apps that send telemetry even though the telemetry option is disabled. As you say, little snitch can't completely help with this since we're still often forced to let the app verify it's registration information.

I wonder how many bad actors there are or if the vast majority of apps are trustworthy.

[bloqs]

Thanks for the hints. Little jackpots like this are great learning motivation for some

[pcmaffey]

The most useful thing you could write about / publish would be to educate developers how to harden their apps against such reverse engineering.

[ttoinou]

It might force them build better APIs :)

[polartx]

You’re right, you do sound like a hypocrite.. especially if you use any freely shared, open source software (in addition to the pirated software you proudly proclaimed to use).