|
Boost : |
Subject: Re: [boost] [encrypted strings]
From: Phil Endecott (spam_from_boost_dev_at_[hidden])
Date: 2009-04-28 04:54:29
"Raindog" wrote
> Phil Endecott wrote:
>> Sid Sacek wrote:
>>> Does boost have any compile-time classes for string encryption? Is it
>>> even possible?
>> #define C(x) x^0x42
>> const char secret[] = {C('s'), C('e'), C('c'), C('r'), C('e'), C('t')};
>>
>> Maybe variadic templates would let you write that as
>> obfus_string<'s','e','c','r','e','t'> - but watch out for that putting
>> a less-obfuscated version in the symbol table.
>> (Not writing iPhone apps are you? Many apps now check if they are
>> legitimate copies with something like: if
>> (some_api_fn()=="signed_by_apple") - the cracker only needs to corrupt
>> that string in the app to defeat the check.)
> No offense Phil, but the method of string encrpytion you chose will last
> no more than the 15 minutes it takes a hacker to write a script to
> automatically decrypt every string encrypted with the algorithm you
> chose and any other method based on DecryptString(encrypted_string_here).
There is an app for cracked iPhones that lets the attacker crack other
apps in "one click". A user of this app needs less skill to crack apps
than it takes to make a phone call.
You wrote in another message that "anyone unable to bypass the methods
suggested would be unable to bypass a plain text target". I do not
agree. An app that implements any trivial form of defense against this
one cracking app will be safe from 99% of the crackers. Obfuscating
the string test in the trivial defense will make it safe from the 99%
of the rest and from the "next version" of the cracking app. The
decision as to whether to expend the effort (or spend the money) to try
to defend against the determined 0.001% who are left is up to the developer.
Phil.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk