A Little about HackMyApp beta v1.0
I see many great pieces of software come from Xojo developer’s. Although it is impossible to make a 100% hack-proof application, it is possible to cover many bases so that hackers/crackers have a harder time doing what they do best. I’ve created your very own hacker that is willing to work for you, in your favor. HackMyApp will attempt its hand at decompiling your software (in memory…not to disk) to reveal potential vulnerabilities, deobfuscate data you’ve tried securing, and present you with a list of information you are freely giving away everytime you distribute your software.
Why Did I make HackMyApp?
This application was developed to make developers mindful of what they’re giving away freely. Over the past few months I’ve seen a number of forum posts regarding security, and some really troublesome posts of users thinking about embedding credit card numbers in their software (NEVER DO THAT!!!), passwords to their accounts, and a number of confidential/private information. After I began porting this application (from VB6 -> LiveCode -> Xojo), I became even more troubled to see Xojo veterans of almost 20 years themselves becoming lazy in thinking about what they are actually handing out to the public. Using HackMyApp on over 20 publicly available well-known Xojo applications, I was abhorred to find MBS Plugin serials, eSellerate credentials and account information, Einhugur serials, as well as some other serious “should be kept secret” data. (I’ve already contacted the authors and the issues in their software have been rectified for some time now.)
Here is a scan of a well-known developer tool (from a well known developer…whom I’ve contacted privately already) containing a number of issues…
To think, a developer of Xojo for over 15 years, never once worried about their MBS Plugin serial or eSellerate account information being public…and a single 10 minute scan later, revealed much was being compromised. Blacked-out above, one could find serial keys, account logins, and a number of “secret” items.
Hacking
The art of hacking can be troublesome for developers, when trying to make a living, as well as keep data safe or unseen from prying eyes. To a seasoned hacker, anything included in your software before compile-time, is fully available using the right techniques, patience, and determination. But that doesn’t mean you can’t give a hacker quite a struggle in their progress by using very simple encryptions/decryptions in place of raw strings (EncodeBase64 will not work…).
What is at Risk?
Using HackMyApp, you will notice that every control, class, object, string, image, and every property and method are visible using the “Advanced Scan” technique. During this scan, your application will be torn-to-shreds using 12 common hacking methods. First your application will be searched for ‘plain-sight’ non-binary strings, then searched by a binary-to-hex algorithm to obtain all classes, methods, objects, properties, and controls. Using debugging tools such as OllyDbg, a hacker can modify the raw address points and create cracks to skip over serial number verification, create key generators based on the assembly code, and steal passwords or sensitive data embedded directly in your applications.
Something to Think About
HackMyApp was designed to help Xojo developers realize exactly what they are handing over to the public, before it is too late. When using MBS Plugins or a number of serial-based development plugins and tools, a developer inserts a serial number directly into the Xojo code editor, and rarely thinks of the consequences. Without first encrypting the serial number, and using a decode method in place of the actual serial, you are freely giving away your licensed embedded serials to anyone willing to search for them. In turn, you are stealing money from MonkeyBreadSoftware, risking your license getting terminated, and losing money yourself. HackMyApp will reveal any such security issues, so that you may go back and fix them before distributing your finalized software.
Further Protection Ideas
To protect yourself from hex-editors and decompile-recompile hacking techniques, a developer can include an encrypted SQLite database settings file which contains a hashed checksum of the application. When the application is first loading, a checksum comparisson can be performed and verified against the stored checksum from the encrypted database. If a hacker modifies even a single byte of the compiled application, the checksum will change as well. If the checksums do not match, a messagebox can prompt the user that the software is corrupt, “Please reinstall.” All controls, classes, objects, images, and properties can be modified using such mentioned techniques with ease, and a simple checkum verification could prevent money from leaving your pocket as your software floats freely cracked on the internet. Executable packers (like UPX) are also a great tool to obfuscate the binary code of the application, reduce its size, and deter a good portion (at least 1/3) of hackers unknowledable of packing/unpacking methods.
Where Do I Start?
If you are unsure how to implement security checks and ensure the stability and security of your software, speaking with other developers will provide you with deeper insight as well as personal experiences. You may also contact the distributor of your plugins or development tools or contact Xojo, Inc. to obtain access to a referred developer, or receive paid support from Xojo, Inc. directly.
HackMyApp Beta 1.0 (Beta test lasts til June 1st, 2014)
Windows: http://www.xojodevspot.com/demos/hackmyapp/Windows-HackMyApp.zip
Mac: http://www.xojodevspot.com/demos/hackmyapp/MacOSX-HackMyApp.zip
Linux: http://www.xojodevspot.com/demos/hackmyapp/Linux-HackMyApp.zip
I’m sure @Christian Schmidt and a number of developers with compromised tools (and profits) will greatly appreciate this developer tool Although this application uses a number of reverse engineering techniques, it will not provide source code or help you to hack an application in any means or manor. It does not reverse engineer or decompile the Xojo framework. HackMyApp was specifically designed with the Xojo Developer in mind to spread awareness of potential vulnerabilities that may exist in your own software and be exploited. The language translations were generated using my automated locality class and may be (most likely are…) incorrect in a number of places. If anyone would like (and would greatly be appreciated) to correct a locality file, please do so and forward to me so that they can be updated and corrected for future releases. In the next version, when a vulnerability is found, a link will also be given next to the compromised data so that the user can quickly find a fix and explore methods to secure such data appropriately.