×

Discussion Board

Page 4 of 7 FirstFirst 1234567 LastLast
Results 46 to 60 of 105
  1. #46
    Registered User
    Join Date
    Dec 2006
    Posts
    2,280

    Re: Serious Concerns About Ovi Store and DRM FL

    I have to admit to being somewhat surpised when I heard that Nokia rolled out the Ovi Store with the only protection for app developers being a system that has been known to be easily cracked for years.

    As has been mentioned and/or hinted at in this thread, there's no such thing as an uncrackable app. I've suggested before that the issue is one of cost vs cracking effort vs risk vs perceived value of the app.

    A simple IMEI check for a registered version (or from a special signature on the SIS file - nice solution Paul) can be removed from the application by a sufficiently dedicated cracker. However, that same cracker could insert malicious code in the application - is it worth the risk? Depends how much the app costs and how much you want it. Lots of people that download cracked apps wouldn't pay for them anyway, so you haven't lost a sale.

    You can of course make cracking much harder by being "creative" (as Marcus points out) to obfuscate the security check (and place multiple security checks in the application, some of which are actually supposed to fail). Construct a pointer to the relevant function to call at runtime to defeat static anaylsis for instance (or, rather than statically link to the necessary DLL, you can load dynamically and do some arithmetic to "compute" the ordinals to call).

    However, were the phone firmware (could also be bundled with the Ovi store client) to include a license management server you get a much more flexible solution. I wrote about this nearly a year ago on my blog:
    http://blogs.forum.nokia.com/blog/ma...icense-manager
    Sadly no-one wanted to step up and start a project at the time.

    The only things I'd add are that when I wrote that there was no central store. Now there is one, Nokia has an incentive to provide a solution. Any solution for higher value content that doesn't require application developers to change their code (in a non-trivial way) to use it is going to be the wrong solution. It will be cracked and that will expose ALL of the applications that use it. It has to be necessary to find a new crack for each application individually.

    Note that the license manager component I propose is a potential weak point, but it would have to have DRM capability and no-one is going to be granted that to re-sign a cracked version of the license manager or Ovi Store app. A "jail-broken" phone is again required there.

    That doesn't mean there can't be simpler options like forward locking for lower value content of course.

    Mark

  2. #47
    Super Contributor
    Join Date
    Nov 2004
    Location
    Wiltshire, UK
    Posts
    3,644

    Re: Serious Concerns About Ovi Store and DRM FL

    Personally I can't see why Nokia just did not go with OMA-DRM 2.0 for content protection at least this offers more of a defense than forward locking.

    Any solution using DRM verification via a component will have to be built into the ROM since the component can be uninstalled and a fake one self signed or signed with a devcert could be installed to replace it.
    Download Symbian OS now! [url]http://developer.symbian.org[/url]

  3. #48
    Registered User
    Join Date
    Mar 2003
    Location
    Turin, Italy
    Posts
    75

    Re: Serious Concerns About Ovi Store and DRM FL

    Quote Originally Posted by ejohn View Post
    DRM on Ovi Store: follow-ups
    <CUT>
    Over the coming weeks the Ovi Store team will be driving towards an option that should help developers protect their content better, without overly impacting or impeding the consumption flow. The specifics on the solution are still being formulated. You can be sure we will get back to you with more specifics and we'll continue to reach out to folks on this list since it's you--the people making a living selling apps day to day—-that we need to work with towards a solution. In the meantime, please add your thoughts to this thread and the list of requirements above.

    More later - Eric
    Hi Eric,
    after 8 weeks, could you provide any update about the current status?
    Is something moving?
    In the meanwhile, NokiaSoftwareMarket has been definitely closed, but OviStore is still unable to grant the same security level of the good "old" NSM...

    Marco Bellino.
    Last edited by ilsocio; 2009-09-05 at 01:38.
    http://www.guardian-mobile.com/

  4. #49
    Registered User
    Join Date
    Mar 2003
    Location
    Turin, Italy
    Posts
    75

    Re: Serious Concerns About Ovi Store and DRM FL

    Any reply would be appreciated.
    Am I the only publisher still interested to publish apps in OviStore?
    Maybe others have already given up?!?

    Marco.
    http://www.guardian-mobile.com/

  5. #50
    Registered User
    Join Date
    Mar 2003
    Posts
    58

    Re: Serious Concerns About Ovi Store and DRM FL

    To Marco :

    No, you are not the only publisher interested. As far as I am concerned, until a satisfying solution is offered I will only publish free demos of my apps.

    Regards,

  6. #51
    Registered User
    Join Date
    Jan 2006
    Posts
    279

    Re: Serious Concerns About Ovi Store and DRM FL

    Any news?
    The Samsung Seller site has a good solution, I think Ovi can do the same :P
    Last edited by microsoft2; 2009-10-10 at 13:46.

  7. #52
    Registered User
    Join Date
    Nov 2006
    Posts
    270

    Re: Serious Concerns About Ovi Store and DRM FL

    I know that this could be quite OT here but do you know if Sony Ericsson PLayNow has
    the same security issue?

  8. #53
    Super Contributor
    Join Date
    Dec 2005
    Location
    England,UK
    Posts
    1,600

    Re: Serious Concerns About Ovi Store and DRM FL

    Quote Originally Posted by microsoft2 View Post
    Any news?
    The Samsung Seller site has a good solution, I think Ovi can do the same :P
    Hmmmm, Looked at this. The trouble with this is this has weaknesses as well, no I wont go into them here.

    When checking cannot see people here being happy, with the idea.
    Jim

  9. #54
    Registered User
    Join Date
    Nov 2006
    Posts
    270

    Re: Serious Concerns About Ovi Store and DRM FL

    Quote Originally Posted by microsoft2 View Post
    Any news?
    The Samsung Seller site has a good solution, I think Ovi can do the same :P
    what is the Samsung solution?

  10. #55
    Super Contributor
    Join Date
    Dec 2005
    Location
    England,UK
    Posts
    1,600

    Re: Serious Concerns About Ovi Store and DRM FL

    Quote Originally Posted by sblantipodi View Post
    I know that this could be quite OT here but do you know if Sony Ericsson PLayNow has
    the same security issue?
    Sorry to be sarcastic but these are for MIDP JavaMe and they fell apart even the code scanner reads them to source code!, and its not even a good version.

    Basically its the same code as before with different packager.

    No one here will say this is acceptable secure.

    Personally dont think you can secure MIDP as its interpeted code and code scanner will always break into the code

    Jim

  11. #56
    Registered User
    Join Date
    Nov 2006
    Posts
    270

    Re: Serious Concerns About Ovi Store and DRM FL

    Quote Originally Posted by jimgilmour1 View Post
    Sorry to be sarcastic but these are for MIDP JavaMe and they fell apart even the code scanner reads them to source code!, and its not even a good version.
    Basically its the same code as before with different packager.
    No one here will say this is acceptable secure.
    Personally dont think you can secure MIDP as its interpeted code and code scanner will always break into the code
    Jim
    Playnow supports MIDP, Symbian Software, Windows Mobile Software.

  12. #57
    Regular Contributor
    Join Date
    Oct 2007
    Posts
    157

    Exclamation Re: Serious Concerns About Ovi Store and DRM FL

    I asked SE about DRM and forward lock last week. I got a reply today.

    If you use the browser to purchase in PLayNow Arena then there is no DRM-protection for Apps and Games.
    It's a pity but we're not going to risk it. It's simply much too big a deal.

  13. #58
    Registered User
    Join Date
    Nov 2006
    Posts
    270

    Re: Serious Concerns About Ovi Store and DRM FL

    wow... BlackBerry App Store is far smarter, it
    let us generate dynamic keys by interrogating our server.
    hope to see something similar soon also on OVI...

  14. #59
    Registered User
    Join Date
    Mar 2009
    Posts
    1

    Re: Serious Concerns About Ovi Store and DRM FL

    Yepp, BlackBerry App World offers a better solution with the various license key models.
    We are launching our applications on various platforms and see ourselves forced to only offer free apps on the ovi store (and windows market place too - same problems there as on ovi...).
    Paid apps will be for the BlackBerry App World and iTunes (already there). These seem to be the only shops that offer serious solutions for developers.

  15. #60
    Super Contributor
    Join Date
    Dec 2005
    Location
    England,UK
    Posts
    1,600

    Re: Serious Concerns About Ovi Store and DRM FL

    Hi,
    Been following this thread from the beginning.

    My belief is that not sure that this is the answer, after all anyone could call up website to get a key?.

    Here is the BlackBerry (tm) idea

    from http://na.blackberry.com/eng/develop...cense_Flow.pdf

    Dynamic License Flow
    In the Blackberry App World Vendor Portal there is a new tab under an application called "Licensing". From there the developer is able to choose the license type from either "Free", "Paid" or "Try & Buy".
    If the developer does not select free, they will see some additional fields appear. The first field is the "License Key Model", choices are Static, Single, Pool or Dynamic. Static means that there is no license key needed to run the app, for trials there is a checkbox on the release to indicate it is a trial version. Single means there is a single key the developer enters into the portal to unlock the application. Pool means that the developer sends RIM a pool of serial numbers that are handed out one at a time to each customer.
    The last model, Dynamic, means that the App Store server will perform an HTTP connection to the developers website when it is time to generate a license key, the developer website will generate a dynamic license key based on their own pre-determined algorithm, for example based on the device PIN number, phone number or email address.
    1. Vendor uploads an application with a dynamic license model, providing an HTTP URL where this license will be generated
    2. User purchases an application
    3. App Store collects info from end user
    4. App Store server contacts vendor server to obtain License Key
    5. License Key is generated
    6. License Key stored in the App Store server
    7. User downloads the application via the App Store Client
    8. Application is registered based on Key from App Store server
    Details:
    On a purchase request the vendor portal will do an HTTP post to the indicated URL:
    http://www.webpage.com/xxx.php
    The request is as follows:
    POST /pathfromdeveloper HTTP/1.1
    Content-Type: application/www-url-encoded
    Content-Length: 120
    Host: hostfromdeveloper
    PIN=12341234&email=customeremail@email.com&product=product&version=1.2&transactionid=123&test=false
    The vendor portal expects the following response:
    HTTP/1.1 200 OK
    Content-Type: application/www-url-encoded
    Content-Length: 20
    key=ABCDEFGHIJK
    Note that the PIN is passed in hexadecimal format.

    This comes from the BlackBerry (tm) FAQ site http://na.blackberry.com/eng/develop...pworld/faq.jsp


    How are dynamic licenses handled during a device switch?
    When a user re-connects to My World on a new smartphone, all the dynamic serial numbers are automatically regenerated and the new serial numbers are sent to the device.
    Well whats the views on that then?. Just connect a new device and away you go!


    Some people may say this is better then DRM. My view is if this makes you feel safer then fine, but this like most systems can be bypassed.

    I still thinks DRM 2.0 is better, imagine if you needed the generate over 16000 individual licenses in 20 weeks like some apps would have needed.

    IMHO I still think the Ovi client should install the app and need to be logged into the registered account to install the app.

    Jim
    Last edited by jimgilmour1; 2009-10-28 at 18:33.

Similar Threads

  1. How to protect Java MIDlet without DRM FL?
    By forceoflight in forum [Closed] Publishing to Nokia Store
    Replies: 5
    Last Post: 2009-06-10, 10:21
  2. How does the Ovi Store implement Forward Lock (for native S60 apps)?
    By briansmith in forum [Closed] Publishing to Nokia Store
    Replies: 5
    Last Post: 2009-06-10, 05:25
  3. How to protect Java MIDlet without DRM FL?
    By forceoflight in forum Mobile Java Networking & Messaging & Security
    Replies: 6
    Last Post: 2009-05-27, 10:20
  4. ovi store signing/ uploading
    By slimpixi in forum [Closed] Publishing to Nokia Store
    Replies: 1
    Last Post: 2009-04-26, 13:53

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •