Serious Concerns About Ovi Store and DRM FL

[briansmith]

Since my post was deleted, I will just re-iterate the main points:

DRM 1.0 Forward Lock cannot prevent piracy because it requires the client to enforce the DRM. Any client that doesn't implement DRM 1.0 Forward Lock can trivially circumvent it. And, once one person circumvents it, that person can post it somewhere where *everybody* can install it just like they'd install any other SISX they find online.

Most newer Nokia phones (at least, S60 phones) support DRM 1.0 Separate Delivery which may be more secure when the decryption key is delivered over SMS. Intercepting OTA delivery via SMS is something few people are able to do. But, again, once one person does it, they can share it with everybody and anybody. And, E-series devices do not support Separate Delivery for some reason.


Even though every iPhone App Store application is available on the internet stripped of its DRM, users can't install them without jailbreaking their phone. Apple's iPhone DRM works because there is no way to install an app on a non-Jailbroken phone except using the App Store client, and because very few people are willing/able to jailbreak their phones. Because S60 has a much more open mechanism for installing applications, it isn't necessary to crack the firmware to install applications that weren't purchased from the store. In other words, the Apple mechanism requires everybody who wants to install the app to hack their firmware first, whereas the S60 (and Android, BTW) mechanism only requires one person to post an app online and anybody can install it w/ no effort on the end-user's part.

Some people have suggested a "dynamic registration server" system like Handango and RIM's Blackberry App World use. That kind of implementation suffers from exactly the same kinds of problems as OMA DRM 1.0 Forward Lock. It is pretty easy to remove the registration checks from an app and/or disable functions that require non-user-grantable capabilities. It isn't nearly as easy as circumventing OMA DRM 1.0 Forward Lock (which can be 100% automated) but anybody with a dissassembler can do it. The only way to prevent that would be to have the functionality that requires non-user-grantable capabilities as an integral part of the application.

I believe that the Ovi Store will have to operate much like the iTunes Music Store. Everything in the iTunes store is just a few clicks away, for free from multiple websites. iTunes caters to users who value the convenience of the iTunes Store more than they value their money. The Ovi Store will have to do the same. That is, we (publishers) have to target users who are unlikely to hunt around for illegal copies of apps. And, the Ovi Store needs to be more convenient than any other source for content it sells. And, just like the iTunes store, content pricing will have to be low enough to make it seems reasonable for the user to pay for it instead of getting it for free.

[ilsocio]

It is pretty easy to remove the registration checks from an app and/or disable functions that require non-user-grantable capabilities. It isn't nearly as easy as circumventing OMA DRM 1.0 Forward Lock (which can be 100% automated) but anybody with a dissassembler can do it. The only way to prevent that would be to have the functionality that requires non-user-grantable capabilities as an integral part of the application.

Just want to add 2 words, almost all of the existing applications which are protected through registrations checks, are using some kind of validation scheme based on the device IMEI.
These apps needs the ReadDeviceData capability to read the IMEI, which is not user grantable.
So, to install the cracked application, user must obtain a DevCert for the device and sign the installation package.

Marco.

[jas76]

@briansmith

I agree that software can not be 100% proof but what matters is how difficult you make it for hackers and users. Apple executed it very well that user first need to hack the firmware which users not willing to do.

[briansmith]

@ilsocio,

If the only reason the app has ReadDeviceData is to check the IMEI, then the cracker just needs to use a hex editor to disable those checks (usully by changing a single "jump not equal" instruction to a "jump if equal" instruction), remove the capability request, then rebuild the SISX as an unsigned one. It *is* a lot more work but it is doable and has been done.

IMO, there is a very simple long-term solution: disable the ability to install applications that haven't been signed with a publisher ID or equivalent (or at least with Open Signed). Improve the OCRP implementation to be (a) always-on and (b) actually work. Then, in-application registration checks would actually become very effective, and users would have to hack their firmware to install pirated apps. But, this solution would only work for new phones and/or new firmware for existing phones. And, some vocal users would likely complain a lot at the beginning.

[briansmith]

@jas76

I agree that requiring end-users (not just pirates) to hack their firmware is a good deterrent to piracy. However, other aspects of Apple's implementation are not good. In particular, it would be very bad for Nokia to create a mechanism that only the Ovi Store could use for securely downloading & installing applications, like Apple has done with their App Store. We should have a secure but *open* mechanism for secure download & installation. OMA DRM 2.0 for applications, maybe? I don't know if OMA DRM 2.0 is enough yet.

[pmuilu]

It seems to me that this problem is not taken as seriously as it should. I understand that this is probably hard to fix as you would like Ovi Store to work with normal browser. Fair enough. However which I don't understand why you guys don't offer any other mechanisms, e.g. license based distribution like any other store there is. There is a different applications to different target groups, needs are also different and piracy is different in each group. Business with small niche app can be easily destroyed with this kind of hole.

This just makes downloading and installing pirated software too easy, it is not same thing to find a keygen or sign that cracked app. If you go through that pain, you deserve to get it for free. But if you are able to download full official installation file somewhere else and it is even easier and faster than purchasing from store, that is not acceptable. I'm really considering and weighing risks here. If I put my app to Ovi Store, do I lose the business I've elsewhere. I don't think this is what Nokia wants me to think and I can tell that I don't want to think this either.

[Paul.Todd]

Anyway if you are a Symbian Foundation member you can add another level of checking by checking the sis file is not installed with a devcert and if it is fallback to demo mode.

Personally I think ovi should give us the CHOICE to use regcodes or not rather than dictating a solution.

[ilsocio]

Hi Paul,
the DevCert check could be useful only for the cracked sis packages, but it is useless for the softwares distribuited through OviStore, indeed these installation packages are already certified and don't need to be cracked at all.

btw, probably a cracker can remove the DevCert check very easily, after all it's similar to the removal of the registration check.

@brian: you're right, I didn't thought about the removal of the API call.


Marco.

[sblantipodi]

It seems that lot of people here talks about obtaining an IMEI as a problem,
I think that is a problem on JavaME device because there is no standard way to do that
and lot of people requires a signed application to do that.

I preferred a much more standard way. I never seen any midlet who use this method but I
used it and it worked like a charm.
Three step:
1) Listen SMS on port xxx
2) Ask the user to input the phone number
3) Send an SMS to this phone number on port xxx, if the phone number is correct,
you have a confirmed phone number where you can calculate your activation code.

This way you don't need any signature, you have a secure way to protect your apps,
and is the most standard way I can realize without using internet and without
the annoyance of getting phone number/IMEI in a non standard way.

We are spending lot of words, but if Nokia doesn't support dynamic licensing
we can save our words.
I hope that nokia will see and learn from BlackBerry store

[mgroeber9110]

btw, probably a cracker can remove the DevCert check very easily, after all it's similar to the removal of the registration check.

I would put a question mark behind "easily", because how "easy" it is can to some extent be determined by the individual application developer, e.g. by using more or less creative ways of obfuscation that can make at least static analysis with a disassembler to find the right place in the code a nightmare for anyone but the most qualified people (and there is a limited supply of those in the Symbian field).

The example of the Skype protocol seems to show that "obscurity" can go a long way...

However, as long as SIS files prepared for Ovi cannot employ any kind of protection at all, since executables are required to run as-is, any of these discussions are moot.

ciao marcus

[Paul.Todd]

The hope is that someone from Nokia can read and reply that they might consider doing something about this before we all go bust.

[grahamhughes]

Nokia are certainly reading, though I think it is going to take them a little time to have a solution. As you say, no simple problems in Series 60, and Java is at least as awkward.

Graham.

[ejohn]

DRM on Ovi Store: follow-ups
A quick note of thanks to folks here on the FN discussion board for your input and involvement in this topic over the past couple of weeks. We are committed to improving our DRM solutions that balance ease of installation and use with the security and proprietary rights of our publishers on Ovi Store. In conversations with developers, including many on this list, we've been hearing a few common themes:
- most publishers realize that no DRM solution is 100% secure, but that some levels of barriers must be in place to prevent easy sharing of content
- there are several different DRM approaches, each with varying tradeoffs in terms of protection vs impact on consumer experience
- a more robust DRM solution needs to be offered as an option for developers. DRM should be not a requirement for all publishers on Ovi Store
- most developers who feel the need to increase security for their app would be willing to share in the effort by integrating the solution as needed in thier code

At minimum, what’s needed is a level of security and rights management that enables honest consumers to continue to be honest and puts the right hurdles in place, making it difficult for general users to distribute and forward apps freely from device to device (OMA DRM FL 1.0 supports this). The goal is to make the less-than-honest, tech-savvy users think twice before spending considerable time cracking apps that would at the end of the day, cost less to buy than the cost of time spent doing this.

Over the coming weeks the Ovi Store team will be driving towards an option that should help developers protect their content better, without overly impacting or impeding the consumption flow. The specifics on the solution are still being formulated. You can be sure we will get back to you with more specifics and we'll continue to reach out to folks on this list since it's you--the people making a living selling apps day to day—-that we need to work with towards a solution. In the meantime, please add your thoughts to this thread and the list of requirements above.

More later - Eric

[mgroeber9110]

Eric,

thank you very much for confirming that our voice has been heard. Simply not getting any feedback regarding those issues was probably what caused people the most concern. I think everyone understands that Ovi Store is (as everything on the web) a "work in progress". Good to see that progress is being made!

At minimum, what’s needed is a level of security and rights management that enables honest consumers to continue to be honest and puts the right hurdles in place, making it difficult for general users to distribute and forward apps freely from device to device (OMA DRM FL 1.0 supports this). The goal is to make the less-than-honest, tech-savvy users think twice before spending considerable time cracking apps that would at the end of the day, cost less to buy than the cost of time spent doing this.

I would like to put a slightly different twist on this, so that it does not turn into the wrong sort of requirement: you talk about OMA DRM FL 1.0 making it difficult for general users to forward apps freely.

While this is indeed important, the concern that started this thread was more about how easy it is at this point to turn S60 apps (it's good to be specific, rather than just talking about "content") on Ovi into a form that can afterwards be forwarded freely by general users, and how much easier this was compared to earlier solutions such as the Software Market. Perhaps this is then the curse of Openness...

So one stated requirement on a new DRM approach should be in my view that it does not interfere with developer's own attempts to "harden" content over time against stripping it of its DRM.

One possibility that just comes to mind would be a special kind of digital signature on the SIS file (or container?) downloaded from the Ovi store that can be checked by the application at runtime. Yes, it is always possible to remove such checks, but such a feature would allow developers to be creative about ways to make doing so as hard as they like, and perhaps even lead to commercial solutions for helping with this.

Of course, it is an arms race, but it would be easier to fight with only one hand tied behind our backs. ;-)

Thanks for listening.

ciao marcus

[Paul.Todd]

I will second Marcus on this, it is nice to hear from Eric that there is work going on behind the scenes.

Whilst no application will never be made crack proof it can still be made hard enough that it will take longer to get a cracked version and make more people get the licenced version.

My ideal scenario is that OVI tags the sis file with the IMEI of the person who purchased the product so that the IMEI on the sis file can be compared to the IMEI on the device. Of course this requires Foundation API's to read the signature but at least this slows down piracy.