Shottr License Validation

A static-analysis writeup of how Shottr (macOS, bundle id cc.ffitch.shottr) validates licenses. Observations are from the shipped Mach-O at /Applications/Shottr.app/Contents/MacOS/Shottr and the user's preferences plist. Architecture only — no bypass.

TL;DR.

Online verify primary endpoint + Cloudflare Worker fallback.
Local state Keychain (source of truth), plist XOR backup.
Tiered features server returns a tier, app gates premium UI on it.
Restore web-driven, key emailed to purchaser, pasted back into the app.
No third-party SDK no StoreKit / Paddle / Gumroad / FastSpring strings in the binary.

Endpoints

Purpose	URL
Primary verify	`https://shottr.cc/licensing/verify.php`
Fallback verify	`https://shottr-verify-license.blimps.workers.dev`
Restore	`https://shottr.cc/restore.php`
Purchase landing	`https://shottr.cc/purchase.html`
Upload (per-user)	`https://gtfrog…lambda-url.eu-central-1.on.aws/?token=…`
Update manifest	`https://shottr.cc/api/version.json?anticache=…`
Telemetry	`https://tel.shottr.cc/telemetry.php`

The string License checking, first URL failed ( confirms primary-then-fallback. If shottr.cc is down, the Cloudflare Worker still answers, so users do not get locked out of the app due to a single point of failure.

The validation method

Swift symbol: verfiyLicenseOnline(_:type:whenReady:). The misspelling ("verfiy" vs "verify") is baked into the symbol table, so it predates the shipped binary. Called from:

clickActivate: — Preferences > License > Activate button.
clickRestoreLicense: — after pasting a key recovered via the restore page.
restore(json:active:) — handles the JSON response on restore.

Other relevant Swift symbols: PrefLicenseViewController, KeychainSwift, QueueKeychainAccess, mainAppService.

Local state

Keychain — source of truth

License data is stored via a KeychainSwift wrapper under a mainAppService service identifier. Diagnostic strings tell the story:

Failed to save to keychain

MacOS prevented Shottr from retrieving license information from the keychain.

Lost keychain record, but there's a backup (

Preferences plist — XOR backup

File: ~/Library/Preferences/cc.ffitch.shottr.plist. Relevant keys:

kc-license: Base64 over XOR-obfuscated license bytes. XOR key referenced in the binary as backupXorKey.
token: Short opaque token used by the upload feature.
uploadEndpoint: Per-user signed AWS Lambda URL for screenshot uploads.

Architecture: keychain first, plist as fallback if the keychain read is denied (sandbox lockdown, permission UI dismissed, etc.).

The license payload

Server response is JSON. From the binary you can see the shape:

tier field returned (strings: tierL, tierM, psa_tier, Tier not returned).
active boolean — second parameter to restore(json:active:).
Log line License has changed, tier stayed the same implies periodic re-validation that compares server tier against the stored one — useful for forward-rolling new feature gates without a binary update.

There are no Paddle / Gumroad / FastSpring / LemonSqueezy / Stripe strings in the binary. There is no StoreKit / IAP. It is a plain license-key model, vendor-hosted.

Flow: Activation

User pastes a key into tfLicense and clicks btnActivate (PrefLicenseViewController).
verfiyLicenseOnline POSTs the key to shottr.cc/licensing/verify.php.
On non-2xx / timeout / network failure, retries against the Cloudflare Worker shottr-verify-license.blimps.workers.dev.
Response JSON yields {active, tier, …}.
License stored to the Keychain, XOR-obfuscated kc-license backup written to the plist.
Logs License is checked, UI shows Thank you for activating Shottr!, gated features unlock.

Flow: Restore

User clicks Restore → clickRestoreLicense: opens shottr.cc/restore.php in the browser.
Web form takes the purchase email; backend emails the license key.
User pastes the key back into the Preferences pane.
Same verfiyLicenseOnline → restore(json:active:) path as activation.

Flow: Re-check at launch and over time

The app holds enough state in Keychain to self-validate offline at launch. Periodic re-checks reconcile tier changes (License has changed, tier stayed the same) and detect explicit revocations (License was removed, License information lost, Shottr: no valid license provided).

Useful log lines

License checking, first URL failed (

License not provided

Tier not returned

Failed to decrypt

MacOS prevented Shottr from retrieving license information from the keychain.

Lost keychain record, but there's a backup (

License is checked

Design observations

Two-endpoint failover is the right call for an indie app: vendor outage no longer equals mass support spike.
Keychain + plist dual-store survives the keychain UAC denial scenario that bites a lot of macOS apps.
Tier carried server-side, mirrored locally means the vendor can re-tier features without a binary update — they just change what verify.php returns.
No third-party SDK for billing keeps the binary small and avoids licensing/SDK lock-in.
Misspelled symbol (verfiyLicenseOnline) is the kind of cosmetic detail that survives years in a codebase — evidence this binary is built straight from a long-lived Swift source tree, not generated.

Generated from static analysis of Shottr.app (universal Mach-O, x86_64 + arm64). No code was modified, patched, or executed beyond reading the binary's strings and the user's own preferences plist.