"Raindog" wrote
Phil Endecott wrote:
Sid Sacek wrote:
Does boost have any compile-time classes for string encryption? Is it even possible?
#define C(x) x^0x42 const char secret[] = {C('s'), C('e'), C('c'), C('r'), C('e'), C('t')};
Maybe variadic templates would let you write that as obfus_string<'s','e','c','r','e','t'> - but watch out for that putting a less-obfuscated version in the symbol table.
(Not writing iPhone apps are you? Many apps now check if they are legitimate copies with something like: if (some_api_fn()=="signed_by_apple") - the cracker only needs to corrupt that string in the app to defeat the check.)
No offense Phil, but the method of string encrpytion you chose will last no more than the 15 minutes it takes a hacker to write a script to automatically decrypt every string encrypted with the algorithm you chose and any other method based on DecryptString(encrypted_string_here).
There is an app for cracked iPhones that lets the attacker crack other apps in "one click". A user of this app needs less skill to crack apps than it takes to make a phone call. You wrote in another message that "anyone unable to bypass the methods suggested would be unable to bypass a plain text target". I do not agree. An app that implements any trivial form of defense against this one cracking app will be safe from 99% of the crackers. Obfuscating the string test in the trivial defense will make it safe from the 99% of the rest and from the "next version" of the cracking app. The decision as to whether to expend the effort (or spend the money) to try to defend against the determined 0.001% who are left is up to the developer. Phil.