If there's sufficient determination, people will just write replacement backends.

This is a real phenomenon. As I recall some years ago Ubisoft tried to come out with a (single-player) video game which couldn't be played offline, and which was dependent on an online server as an anti-piracy tactic. I believe this game was still pirated using some kind of fake server.

It's also interesting how common it is for people to create replacement servers for popular MMOs, given the extent of the reverse engineering that this requires, using custom non-HTTP protocols which are much harder to reverse. MMOs should be "unpirateable" yet unofficial open source server reimplementations are a real thing.

>My significant win is that I’ve never personally found a need/desire to pirate something

Personally, I wouldn't count this as a win, more of a lack of curiosity/failure to be adventurous enough to be in a situation where piracy is advantageous

> adblockers will exist for as long as Google deems them unproblematic (...) the existence of such piracy is heavily dependent on the providing body, and as such, are existant by benevolence

Mmm, what? Adblockers aren't piracy.

> There will never be a true way to "pirate a backend"

Get access to one of the machines hosting the backend and download it..

I guess, an even more true way would be to don the wooden leg, cannons and drive up to a data center fueled primarily by rum and old-time maritime jargon xD

People have pirated MMO backends since.. well a long time, mainly KMMO servers. Lineage 2 and Ragnarok Online had big servers running on leaked / hacked official server code for a really long time before emulators became more practical to update with more recent game content.

I think this is the most fundamental driver of everything going to cloud. The cloud is DRM, and it's the only kind of DRM that really works.

It also lets companies play both sides by releasing clients open source but keeping the real value back in the cloud. They can be considered "FOSS" while at the same time being even more closed than closed-source software.

You could say the industry has found a way to comply with the letter of FOSS licenses while avoiding the spirit, namely the idea of empowering the user.

It's not piracy per se, but the practice of reverse engineering a backend to a paid service, whether that's real logic or just a licensing server, has existed for a long time.

I remember friends running World of Warcraft private servers back in '08 and '09. Heck, we even hosted one as a class project in high school.

World of Warcraft Classic exists partially due to the number of fans who ran private servers as a way to properly experience previous versions of the game as current expansions have you steamroll through older content.

I need to pirate a backend, but I don't know the API.

A fitness tracker I have (Jawbone Up Move) is coupled with an app, which is coupled with an online service, which has been dead since 2017.

Are there any tips, tricks or resources regarding this? Best I can currently do is `mitmdump –set connection_strategy=lazy` (the last part is important so it doesn't try to connect to the original server and throw a weird error), but I don't know what the app wants as a response to its login request.

A look at the decompiled code doesn't immediately reveal much. Are there any common patterns for this type of stuff?

Reverse engineering APIs tends to be surprisingly trivial, even for binary or otherwise non-standard protocols. The content served by them is the only real challenge.

I've always wondered how for example private WoW servers work. Do they replicate the whole backend based on observations of how the actual game works and the network requests being made? How is that even possible without knowing all the quirks and other indirect behaviors you have no visibility of? E.g. when the server game loop ticks a thousand things happen that are not transmitted to the clients.

I would. In fact, I learned to program because a misconfigured web server once spit out its source code and I was able to learn from it.

I disagree.

As web apps and web services get more and more e2e encryption and strong privacy, the backends become dumber and dumber. If the backend can't see the data it's working with, it can't have much business logic in - instead the backend ends up looking much like a dumb storage service or message queue. Some companies will just make their app talk direct to S3/pubsub rather than run their own application servers.

At that point, some 'hacker' can download the APK or the javascript bundle of the frontend, and simply put up a replacement backend that does the same storage service.

Well done, you now have a 'pirate' web service.

> There will never be a true way to "pirate a backend"

The original way to pirate is to bring your vessel in close proximity and then jump aboard the target vessel and have your way with it.

Something like that could be done with a back end.

And then players like Ubisoft go “we’ve decided to shut down the servers”

I guess unofficial APIs through reverse engineering are the closest you can get to what the article proposes. But, as other comments point to, data is still data and access to it is highly restricted, or is vast enough to not making it worthwile (imagine downloading Google's backend).

I real life example of this for web dev is cypress.io which offers enables parallel testing and access to a dashboard of test runs.

then https://sorry-cypress.dev/ came which is a self-hosted version for free. Then came a commercial offering that directly competes with cypress' official version

I'm weirdly cheerful about being able to report that this isn't true. Backends do get pirated with sufficient motivation...mostly in games. MMOs spring to mind, but lots of games with online multiplayer get this treatment. Some of it is piracy, but some of it is because the developer is no longer supporting it, so the community stepped in with emulation.

There's actually a really interesting question here - could it be possible to "pirate" a backend with sufficiently clever AI?

At the end of the day, you're just trying to model a black-box function, mapping inputs to outputs. And most of that is CRUD with some basic access control on top. There are definitely complications (e.g. 3rd party integrations, a properly designed/named database schema), but you might be able to get 80% of the way there in an automated way...

Hmmm… Can I get free BMW seat warming this way?

I spent years playing WoW on a pirated backend.

Just as a backend is not a desktop application, so to will "backend piracy" differ from desktop app piracy. You can't think of them in the same terms.

Whereas a crack of a desktop app will allow users to "misuse" the app (by circumventing the license protection or other limitations), a backend can be "cracked" through scraping, botting, or creating alternative clients.

If a backend somehow limits your access to content, a skilled user can scrape that content and make it available through their own alternative backend.

If a backend somehow limits functionality, you can reverse engineer their API and build an alternative client which interacts with the API in a way not intended by its creators, and misuses it.

If a backend rate limits access to it, you can write bots to interact with the backend through multiple proxies and alt-accounts, thereby circumventing the rate limits.

I'm not advocating for any of the above techniques, any more than I advocate for cracking and software piracy. I just want to offer them as examples of how backends are not magically immune to tampering and misuse.

It seems like the popular sentiment here is that not only will client-side programs continue to be crackable, but even server backends too.

I posit the opposite. In the future, it will be impossible (in many cases) to crack even client-side applications. Reverse engineering and de-obfuscation are a cat and mouse game. However it's been proven that it's possible to obfuscate a program such that it's effectively impossible to deobfuscate. This is called indistinguishable obfuscation [1]. Basically like encrypting a program. And even though current implementations are impractical, I'm sure it will get better.

[1]: https://en.m.wikipedia.org/wiki/Indistinguishability_obfusca...

1. Hell yes I would. (Still waiting for my downloadble car.)

2. There is an easy way to pirate backends, you just do some network capture and figure out what the SYN ACK messages between your client and API are.

3. There's plenty of instances of pirated web-based games. (KanKolle comes to mind).

I wrote an essay about this problem in the 01990s: https://www.gnu.org/philosophy/kragen-software.html

I mean you could still intercept and index API requests and generate backend code.

While this has nothing to do with pirating directly, it would still allow to replicate the backend (without business logic).

Put another way, the mainframeization of computing is nearly inescapable. We no longer have personal computing, even when we run our apps & game clients locally.

Part of the problem is that ordinary users have no clue just how much the app actually costs to develop and maintain. And how could they?

I worked on Socrative for several years (similar to Quizlet), and we had backlash when we introduced a "Pro" version with paid features. All existing free features, which had been developed over several years, could still be used for free—it was only new features that would be behind the paywall. Many users lamented all over social media that Socrative was no longer "free." But it had never been free—it had been losing over $1m per year!

I realize postwrite that there must be some exploits to some client-side frontends that enables fully-featured capabilities, and that in a lot of cases it would probably take significant effort to lock such features down from the server.

But really, where would that be in the world?

slighty OT, but it is a travesty that Quizlet (previously Slader) has gone behind a paywall. Slader had a lot of community generated solutions to textbook problems. Users gave them the content for free, and they monetized it, kept only verified answered and dumped the (unverified) solutions and feedback.

localstack is the closest thing I could think of to pirating a backend:

https://localstack.cloud/

Scihub is a pretty good counterexample to this theory.

That's why Microsoft moved Office to the cloud.

Edit: Didn't know that Adobe didn't move its portfolio to the cloud yet. I thought Adobe Creative Cloud is all about that plus subscription model. My bad.