Sparkle

Preventing unauthorized downloads

Asked by Flemming Bengtsson

Hi,

I'm writing a commercial application for the Mac app store and I'm considering using Sparkle for pushing updates.
However I'm concerned about security. I don't want non paying users to be able to sniff the download url to get the zip file.
I can't see that theres is anything preventing that? Have you any ideas to block such attempts?

Thank you for a really great product!
Kind regards,
Flemming

Question information

Language:
English Edit question
Status:
Answered
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

First of all, you should know that your app will be rejected from the Mac app store if it includes Sparkle (it's in the submission guidelines).

Second, it wouldn't be enough to just make the URL of your app's .zip a secret: then as soon as one person posted that URL somewhere, everyone could get a copy!

You'd have to use some kind of certificate or encryption mechanism to control access. In the Mac App Store, there are receipts you can check. See https://developer.apple.com/devcenter/mac/documents/validating.html for more info and https://github.com/AlanQuatermain/mac-app-store-validation-sample for example code.

If you want to work outside the Mac App Store, check out AquaticPrime at http://www.aquaticmac.com/.

Can you help with this problem?

Provide an answer of your own, or ask Flemming Bengtsson for more information if necessary.

To post a message you must log in.