The Cracking of Bombora

As a supposedly responsible iPhone developer, and with the goal of picking up ‘app chatter,’ I keep a saved search for Bombora in my Twitter client (the excellent Tweetie) on my phone. I’m always excited to see a new result for Bombora pop up, although sometimes it’s Bombora Vodka or The Bomboras (surf band) that are the topic of discussion, and not our useful surf and ocean forecasting app. Occasionally, it’s an iPhone app site that has recently found Bombora or updated their listing, and tweeted about it.

So naturally, when I caught a tweet that looked like such (edit: link and username removed) I was eager to see what new site this Twitter user was pointing to … Until I found myself at Appulous. Sure enough, there in the directory, was the app that my business partner and I had invested *hundreds* of hours of hard work in – cracked and available free outside the iTunes App Store. “Maybe nobody’s noticed” I delusion-ally thought to myself, as I quickly logged into our Pinch Analytics account.

Bombora had been posted to Appulous on Thursday, April 30th, and Pinch Analytics was showing new unique users at 5x our average daily count for new uniques, starting on that very Thursday. Something was definitely amiss.

“Maybe we got some free marketing I don’t know about” I thought optimistically, as I logged into iTunes Connect to check our sales data. Unfortunately, my hopes were quickly dashed: our sales remained at or below our previous average daily sales. For every user that was buying Bombora through the proper channels, there were now five or six users getting it for free. Although it’s somewhat flattering to be cracked (somebody wanted Bombora bad enough to crack it) we are hardly jumping up and down with joy.

Over the last five days, this trend has continued… and our sales have declined. We don’t have a lot of data right now, given that this *just* happened last week, but our daily average sales have decreased by 30-40% in the last three days. Other influences, like placement on the Recently Released page for our category (Weather) surely have an affect on app sales, but the appearance of cracked Bombora seems to be more than a conspicuously unfortunate coincidence.

Fully 30% of our total user-base has “stolen” Bombora, which is priced at $9.99, and are now continually “stealing” our server utilization, for which we pay a monthly fee (Slicehost – good stuff.) It’s not just the development costs – tens of thousands of dollars in labor – but the cost of providing ongoing support that we are being deprived of. We think $9.99 is a pretty good deal for Bombora when you consider how much data we’re providing easy access to. The iPhone costs $200-$300, with a minimum $70/ month service plan, yet people still complain about a $9.99 app. But I digress – the app store ecosystem is another post entirely.

Of course, an illegal download is not the same as a lost sale – we’re not the first app to be cracked and we won’t be the last. Other developers have written about the problem and even devised some unique approaches. We will be taking some steps ourselves to prevent this from happening to future versions – Bombora calls home to our servers for data, and without data, the app is pretty worthless, so we’re fortunate to have this optional barrier built-in. That gives us the choice, as ugly as it may be, to change the server process to respond only to particular versions of Bombora, forcing an upgrade. Do we want to do that? Absolutely not. Will we? Probably not.

Both myself and my business partner have full-time day jobs, and work on Bombora in our spare time. So now, instead of just working on making the app better (which we’re constantly doing anyways, because it’s fun, and because we want to make money!) we have to invest time and effort into devising a method to protect our intellectual property. What a pain-in-the-ass.

Who do we blame? Apple? Somali Pirates? Having known the ‘net intimately for some time now, and being a couple of sharp cookies, we recognize the futility of pursuing action by legal means, or trying to have a server taken down only to have three more mirrors appear. It’s not like we want to willingly shoulder the burden of extensive legal costs to detract from our already diminishing sales revenue… So where does that leave us?

We will continue to be bummed that people are stealing our app. We will add some form of minimal copyright protection to our client-server communication process to try and protect future editions. We will hope that Apple takes some steps to remedy what appears to be a significant problem.

Most importantly, we’re going to continue to try and make the best app we can – there are plans to add some really cool features to Bombora and I would hate to be distracted from achieving that excellence.

  • http://www.thermostatz.com/products/Wave-Wireless-Programmable-Thermostat-System-(TW206-%252b-RW205).html wireless programmable thermost

    Bombora is a powerful, elegant, and comprehensive ocean-forecasting app – built specially for surfers, sailors, fishermen, beach walkers, kayakers, ..

  • Dave

    Blocking jailbroken devices isn't really a good idea. Also, device IDs may not exactly correlate to the number of purchases because some people (like me) have multiple devices assigned to a single account. Probably better to do the Info.plist check and use that for statistics / crack checking.

  • Pingback: Bombora Memorial Day Sale! | Bombora - Surf Forecasting for iPhone

  • AnonymousCoward

    I was actually in with the group of guys that make these cracking programs back when the appstore first came out. I can't apologize for them, and I haven't talked to those guys in over a year. The host/developer of appulous is kyek, you might want to do some searching (on the forums they have) and get in touch with him. I think their site is hosted in Russia or the Netherlands now tho, so I don't know what you could legally do.

    I hate to see indie devs losing their sales over this. Are you guys still going to be developing more apps for the iphone?

    By the way, all the “cracking” does is decrypt a certain part of the program. It involves running GDB (Gnu debugger) while the program is running in memory on the account that made the purchase to do it.

    Are you guys sandboxed or is it possible to poke around the file structure and perhaps make the program not run on jailbroken iphones? Say, for instance, if the cracked games installer (not going to drop any names here) is located in the /Applications folder, throw up an error.

    I'm sure there is some way you guys can get around the piracy of your app, whether or not it complies with the appstore terms is another question.

    Apple really needs to get it together and start protecting their developers.

    • http://www.bomborasurf.com Kerry

      AC,

      I think you're on the right track – there isn't much we *can* do, legally – lawyers are expensive, time is expensive, and the international variables make it even more complicated. The potential for futility is overwhelming.

      I definitely feel that we've lost sales – it's my belief that at least some of Bombora's target market are those with the aptitude to jailbreak. So it goes.

      We're trying some new stuff, like the sale running until the release of our next major update (which will have some fun anti-piracy measures of our own,) so hopefully that will produce some results – or at least, some more fodder for the discussion.

      “Apple really needs to get it together and start protecting their developers.”

      I couldn't agree more.

      Kerry

    • Dave

      Blocking jailbroken devices isn't really a good idea. Also, device IDs may not exactly correlate to the number of purchases because some people (like me) have multiple devices assigned to a single account. Probably better to do the Info.plist check and use that for statistics / crack checking.

  • dm

    I understand that in order to run cracked apps, the security subsystems in the iPhone need to be disabled, i.e. the app needs to be tagged as “part of the OS” and have elevated privileges.

    I wonder if it would be considered ethical to have your app contact iTunes and purchase itself?

  • anon

    THANKS FOR THE GREAT LINK TO THE APP SITE!

    • http://www.bomborasurf.com Kerry

      Thanks for the heads up – appreciate it!

      It's fixed now – I could tell that you didn't want us to promote them anymore, right?

  • saurik

    Won't they just then crack the newer version of your program? I don't see how forcing an upgrade and requiring people to use that version will actually manage to stop this from happening.

    The stupid part about all of this is that if Apple were to just provide you access to a customer list for your own product you would not be in this position. The idea that you have to provide both support and server resources to /anyone/ who claims they own your application is ludicrous. :(

    (For the record, products sold via Cydia do have this ability, in addition to being able to give people discounts on purchases if they own other products and other “must haves” that result when you have serious business concerns at work.)

    – Jay Freeman (saurik)

    • http://twitter.com/Hunter Hunter

      I'm one of the guys that works on Bombora.

      Jay – I believe that nothing we could do would ever really stop these people. At the same time, if the bar for piracy is raised slightly, it might not encourage such a high level of casual cracking.

      Maybe I'm wrong – we'll see. We're certainly not going to expend a ton of resources on it. I'd rather spend time working on real features.

      I love the App Store but there's no doubt it has a lot of problems / deficiencies that I hope Apple will fix over time.

      -Hunter