Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've made a program that I need to license before selling it to customers. Since I'm not sure, that it will gain me at least the cost of commercial licensing software, I would not like to buy one.
So I'm looking for advice on how to implement licensing feature with following logic:
All license keys are validated on server side each time application starts (no licensing info is stored at userside except the license number).
There is only one application running with one license key at the same time.
What I do not know is how to protect my program from simple decompiling/disassembling and just removing a call to check license? Or making own server that will make a response true on each license? How does such security normally made?
I've searched for free SDKs or something like that, but could not find anything.
I'll be very thankful for your help!
P.S: I do not aspire to make the system "indestructible", but I would like to receive the protection that is more expensive to crack than paying $5.10 for a copy of the program.
P.P.S: Sorry for my bad english.
What I do not know is how to protect my program from simple
decompiling/disassembling and just removing a call to check license?
Or making own server that will make a response true on each license?
How does such security normally made?
You are confusing licensing and obfuscation. To prevent the above, you will need to obfuscate your exes and dlls using an obfuscator.
Since I'm not sure, that it will gain me at least the cost of
commercial licensing software, I would not like to buy one.
IMHO you are much better off focusing and spending time on your actual software than in developing a licensing scheme from scratch (re-inventing the wheel as they say).
If you do open up to paid solutions, take a look at CryptoLicensing (for licensing and copy-protection) and Crypto Obfuscator (for obfuscation and code-protection).
DISCLAIMER: I work for LogicNP Software, the developer of above mentioned products.
(Sorry can't comment on other people's posts???)
It depends on what your application is doing.
I'm currently faced with the same problem as you. I'm going for a log in system, simply fetch and compare to what's in the database. If not present do not launch app. Not that I need more, the application relies on my database and without it it is useless.
Then they can spend a couple of hours figuring out what my database looks like based on what they see on queries or practically rewriting my entire product. I'm going to spend little on in app security. The only protection I wish to have is not to show my server's data.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm writing a C# Windows Forms application and will have Trial and Full versions. For the Trial version, I would like to provide the end users daily usage credits (i.e. 3 credits to use particular functions in the app per day)
I have seen numerous articles and discussions to prevent system date tampering, but all of them I've seen were for providing Trial periods; against altering the system date to a previous date. Here are some:
https://www.codeproject.com/Articles/1101956/Check-for-Clock-Tampering-to-Extend-Licence-Durati
https://stackoverflow.com/a/16530146/3350921
But in my case, I have opposite business case. If the user tampers system date by fast forwarding to a future day, then might easily gain usage credits just by changing the date. And obviously, I don't want this.
Would you have any recommendations as a rule of thumb how to check date tampering in a C# Winforms app, not only for backwards but also in forwards direction?
Ps. I need to achieve this completely offline. NTP or an external API call would be a good solution, but this app will probably be used mostly in offline clients.
Ps2. I was thinking to check "last modified time" property of a particular system file of Windows OS. For example, if there's such a Windows system file that gets its "last modified time" updated each time Windows is reboot, then I feel like I can recognize the system date fast forward. Any thoughts with this?
Many of the comments say that managing it locally is not fool-proof, by that analogy so is any software that is developed however I have to admit that things are not so easy when you're sandboxed to a local pc that user has complete control over.
The question here is how many layers are you willing to add to make it difficult to break. And what's the software's tolerance to environment modifications, which comes with cost of UX. With many layers of security and least tolerance.
With that you have hardened it pretty well.
Some of the Security layers I can think of :
Encrypting the timer logic in a Registry hive as Binary value.
Look for events in the event viewer for any specific change that you suspect relates to tampering of a system property. (Changes to system date can be caught here)
Implementing a service that auto starts (If you want to monitor something)
Watch out for decompilers and terminate license, invoke auto-delete if necessary
MacAddress of known PC's that have been suspected to breach the software (this can be stored and sent back to the remote server when internet connection is next established)
You can set the tolerance level which is how your app responds to suspected manipulations.
Example: If you suspect that there was an attempt to stop your service or manipulate/delete registry, you can either warn or terminate license or what ever counter measure you want to perform.
Disclaimer : Some of it can be intrusive, that's the trade off you have to sacrifice
P.S:
I'm sure there are more ways of hardening it, what are your thoughts
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
As we are going to developing some public API for other applications to integrate with, someone suggests that we should delay the security stuff until the methods of the API have been done, so the third party application will have something to work with! Is it a good approach to resolve the issue, or should we put security in place and then develop the API itself?
EDIT:
The issue here is the cost.Let's say that if you have it in the first place, I think that you won't have to revisit the APIs to make changes due to security stuff, especially with the third party application, which is maintained by another team.
If we delay it until everything has been done and integrated, then the other team has to modify and change code as well.
So from your experience, what will cost less?
You should have the design complete from the start, including security. Changing the design later will cost much more. Implementation may well be either delayed or incomplete at first.
If you don't e.g. know the granularity of access rights you will have to do a lot of redesign when you later find out that it must go beyond table access or beyond SIDU and in fact work a row level..
Putting in dummy functions and working out the details of how to implement the real thing later is more or less free but to do that you first need to know what the customer needs and plan for it!
It depends on...
The overall risk as it relates to the security for your API. We talking banking/life-and-death or cat pics? The more risk, the more I'd want to address that upfront.
The general level of skill and experience of your team. Folks with more experience are less likely to paint themselves into a corner.
Applicable experience securing an API. If it's everyone's first go at this, I'd at least do detailed planning upfront.
I'm all for kicking the can on security, secure authentication, ACLs, etc. when possible. But don't just say, "Let's do it later" without getting a good handle on the risk that decision might incur. In all likelihood those discussions will yield a viable path forward should you have to start to implement the security concerns sooner than planned.
Security is a CROSSCUTTING concern, which means, it penetrates(and should) every level of the architecture. Why not use Basic Auth and share the key with your third party app developers instead?
Security must always be a concern. It won't help delaying if your APIs are flawless and your security system is flawed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I release a bunch of tools for free, but recently I have began to sell an application, that has private research, and people have been able to get my source code, and one person publically released my entire source. I spent a lot of time on this program, just to have someone crack it, and release my entire source.
How can I go about protecting my program? I have tried HWID, but people are still able to crack it. I know I am limited by C#, but it the most convenient to use. I just need a way to protect my programs from people trying to do this.
You could have a look at the many obfuscation tools that are out there, for example these:
http://gapotchenko.com/eazfuscator.net
http://orangeheap.blogspot.nl
http://confuser.codeplex.com (succeeded by https://yck1509.github.io/ConfuserEx/ and then again by https://github.com/XenocodeRCE/neo-ConfuserEx)
http://ntoolbox.com)
Well, the problem with languages like C#/Java is that they are generally much easier to de-obfuscate. The way to secure this is generally to put this stuff into a webservice, but you said you couldn't really do that. What about porting specific non-trivial functions over to a language like C, and obfuscate that. Your C# program could then use reflection to make calls to this external/unmanaged dll. It would increase the difficulty for de-obfuscating, but the problem is that if someone wants it bad enough, they can figure it out as it is client-side.
It may be that legal action is the only real solution here, but this is not a site for legal advice, and I am not qualified to give it if it were.
Additionally, this could be a business decision. Consider Making your software open-source and post a donation link. I am also not qualified to give business advice, but this is worth considering. It may actually increase your revenue, not to mention the other benefits that come with releasing open-source software.
There's Dotfuscator (http://www.preemptive.com/products/dotfuscator/overview). But the best solution in some cases is to offer what you do as a web site (Software as a Service).
Consider this tool for example to convert VB to C#: http://converter.telerik.com/
Or this tool to format JSON: http://jsonformatter.curiousconcept.com/
This may or may not work for you. I don't know what the nature of the software you're trying to protect is.
No, your code needs to contain the information needed to decrypt itself, its an impossible problem to solve.
Your best solution is to put your intellectual property on a server in the cloud that only you have access to. Give your customers a unique login, audit their access to check for abuse, off load as much grunt work onto your customers machines, but keep your algorithms locked into the cloud.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've developed a piece of software n C#.
And I already implemented a way for customers to upgrade the software using a single license key.
The single license keys are (32 chars) calculated based on some hardware stuff which isn't likely to change (a lot).
This all works pretty good.
However now I want to implement a enterprise license.
Basically I want the customer to be able to license the software on different (unlimited) machines with only one key (so I cannot use the hardware checks for this).
What would be an approach for this?
There are some things I can think of:
Hardcode 1 license key in the software which always works
Build custom programs for enterprises on request with their hardcoded license key in it (not really something I would like to do)
Make some function / algo / something that will check if a entered license key is valid (and still be able to use different keys per enterprise also 32 chars long).
The last option will be preferred I think.
However I cannot come up with a way to check if the entered license is a valid enterprise license.
PS
I am not looking for a way to completely stop piracy of my application, just a simple way to implement an enterprise license.
In my experience, you should go for the solution that results in the least amount of friction for your paying customers.
People will either pay for your software or not, and as long as you have some kind of mechanism to validate licenses, it really doesn't matter how strong it is. There is not a single piece of software that I can think of for which you can't find working pirated copies, which to a large extent makes all efforts in this direction wasted.
One of the things that bother me the most is when the pirated copy is better than the paid-for version. As an example, the virtual CD/DVD software Daemon Tools is protected by a mechanism that sounds somewhat similar to yours. It generates a machine and software-version specific key and is generally a hassle to use legally. I own a 5-PC license and if I want to update it, I have to go and revoke the old-version licenses, issue a new one and re-register the updated software. Repeat for every installation. I've often considered just using a cracked version as it provides a much simpler upgrade path, which basically just involves installing the software.
I realize that you have probably considered all this and may be of a different opinion, but your guiding principle should be to make the paid-for experience beat the pirated one.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
First of all, I understand that almost all applications can be cracked (especially written in C#). My question here is to make it a little bit harder to crack.
Suppose that the user has saved the License file under the Application.StartupPath, where all users can read.
And then, every time when the application starts, it will check if it can find and verify the license file.
If the application can find and verify, we let the user to continue with full functionalities.
If not, we prompt a MessageBox showing "Unlicensed, continue to use with trial version, functionalities limited."
My question is, if I'm a hacker/cracker, I would try to get around or bypass the licensing check instead of cracking the license file, because, if we use RSA signature, it's very difficult to crack a license file.
So where should we put the license check?
P.S.: and also, is it safe if I put a global variable IsLicensed (true / false) to limit the functionalities? Is it easy for a hacker to change IsLicensed = true?
The #1 law of software licensing: You don't control your software once you allow it to be installed on a computer you don't control.
If you want to keep control over your code, you need to make it a web service and give the end user just a thin client that interfaces to that web service.
In many scenarios, this is unacceptable, because users want to be able to use their software even when they don't have an internet connection.
In almost all cases, you should focus on making the user experience better, and all forms of copy protection make it worse instead. Once you get to the point where the experience of downloading from a warez site and running it through several virus scans is better than doing the license setup for the legit version, you've lost.
You can obfuscate the code (make it harder to decompile/use the reflector on it), but with enough energy and knowledge, it will get broken, after that it's quite easy to change the bytecode of the assembly, thus circumventing the license check. Also, you could invest the money to make it possible for you to sign your assemblies, which would make it harder to change the assembly itself, but with enough energy (more than just breaking the obfuscation) this can also be circumvented.
Your goal shouldn't be to make the license process unbreakable, but to make your software itself worth to buy. This is a much better protection. Crackers (and only them, hackers are something completely different, see this article for more) won't be hindered by that, but with the software being worth it, much more people would buy it.
I think that check should be done in several different places in the source code; it is much harder to catch all of them than only one. Also, if wants to protect program written in C# (or any other .NET language), one should consider to use some obfuscator. In counterpart a cracker or even lamer will be able to crack a program using some software like .NET Reflector
As mentioned previously, one can simply use .NET reflector to get the entire source code of your software (in fact, it can even get it in VB.NET or other languages even if you're written it in C#!). You must obfuscate your assembly if you hope to have even a chance at slowing a cracker's progress.
What is to stop people from directly copying licenses? If you have a license which is signed, it will then just be signed in two places -- what have you put in place to stop this? Never mind whether a global variable would further weaken your protection without taking into account trivial "cracks."
There really is no good answer to this as Ben Voigt pointed out. If you need something that is uncopyable, make it a closed-source web application. Astalavista will show you that most things have been cracked. Adobe products which cost thousands of dollars have been cracked and I'm sure their employees are quite well versed in copy protection techniques.