Sign in to follow this  
VVoltz

Question on how to protect a MIDP1.0 Midlet...

Recommended Posts

My team an I are developing a game for a Service Company and we want to protect our game so no body can copy it from their phones, is there a way to do it? Any ideas are welcomed. [Edited by - VVoltz on November 23, 2004 10:57:53 AM]

Share this post


Link to post
Share on other sites
I had a think about this a while ago. My conclusion was:

- In general, you can't
- But you can dissuade people a little.

This is what I think might be a good idea:

- each copy of the MIDlet bought contains a unique code (product key)
- The Midlet, upon starting, checks the RMS store for a matching key to go with its built in key.
- If it's not found, or not valid, it prompts the user to go online to fetch one
- It speaks to a server, via HTTP, giving its product key to receive a matching key back, which it then stores in RMS
- The HTTP server stores the fact that the key has been used to register the game
- If the same game is registered more than one or two times, you can disable the key - rendering it useless for future registrations.
- The game won't play if it cannot register and has no valid key.

The only snag with this problem is
- If the RMS is copied with the game, the game will continue to work
- There is (on most vendors) no way to determine the device's serial number, so you can't make the RMS data nodelocked

Mitigating options:
- Make the RMS phone model specific - although the chances are, it can only be copied to other phones of the same model (or similar) anyway, because RMS is stored in a vendor-specific fashion on the device

There are some tools I've seen for Nokia which can literally just copy anything out of or into the device's filesystem - which includes the MIDlet itself and also its RMS data.

There is nothing you can do about this, unless there is a way of detecting the device's serial number.

---

Extra problem: There is nothing stopping someone reverse engineering and modifying the MIDlet. Midlets are not, and cannot be signed or verified at runtime by any means (You cannot read class files from the JAR to check for modifications, or anything)

Of course MIDlets are obfuscated, but this only makes it harder to reverse engineer, not impossible.

So don't try too hard, it's simply not worth it.

Mark

Share this post


Link to post
Share on other sites
Quote:

Extra problem: There is nothing stopping someone reverse engineering and modifying the MIDlet. Midlets are not, and cannot be signed or verified at runtime by any means (You cannot read class files from the JAR to check for modifications, or anything)

Actually you can read the class files from the jar AFAIK, but it would still be a futile effort because if someone has managed to reverse-engineer your MIDlet, he can modify the verifying code too.

shmoove

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this