Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm currently developing a commercial Java application, where I'm doing my best to protect it against cracking.
I have couple of thoughts that I wish someone a bit more experienced in the field could help me clearing them.
I'm protecting my software with a Server/Client License System.
Simple explanation of how the License works:
User purchase the software online, and get emailed with hist License Hash.
User download the software, and enters the License Hash provided in the email
Software checks online if the license is used before, if not, mark it as used and link the User's HardwareID to it in the database. Next time user login, the server checks his HWID to the provided License, if not valid kick the user out of the software.
After successfully authenticating, the software downloads and load variables from the server that the software cannot run without.
My software constantly checks the server for variables (step 4) and never loads them all at once.
Communication between Server/Client is made using a secured SSL REST API.
My software is Obfuscated/protected using Proguard.
Is this method good enough as a protection against cracking, if not could you provide some extra tips to make this method better ?
Thanks a lot.
The only 100% proof way against crack is to move the whole business logic to the cloud. If the application is running on the client's computer then it can be cracked. The only question is if your software is interesting enough that hackers will spend time with it.
It sounds like you already use an obfuscator, moved some of the data to the cloud and are obtaining it on-demand. I would say you are already protected against entry level hackers and some "IT specialists". I wouldn't spend more effort on it, if higher level "hackers" want to crack it, they will. No matter what encryption you use, the keys (and the used algorithm as well) will be in your application's memory, so those can be obtained.
Modern DRM tools work by stripping important parts of code (not just variables) from the released binaries, and obtaining them on demand from a server. They try to provide such code for the gaps that will only run on the machine of the specific customer (for example by compiling the code for every different processors on the market, making sure that the code won't run on other models), so collecting all the missing parts for every possible hardware is impractical (or at least takes a long time). But this is hard to achieve using Java.
One more thing you should consider: change the licensing algorithm with every release, and do frequent updates. This way real customers get the new features and bugfixes seamlessly, but people using cracked versions will either have to search for new cracks every time or stuck to the older versions. Eventually some of them may decide to buy the software just to avoid inconvenience.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
We provide per server licenses of our application to your clients. What is the best way of ensuring they're not copied to other servers? It's a JBoss server application. Are MAC address restrictions sufficient enough? A lot of applications restrict by MAC address, but I think it can be faked quite easily.
There are many issues with rolling your own license management software. If you lock to hardware, what happens when a server goes out and your customer wants to migrate to a new machine? Do you support hot standby? Do you support virtualization? Is it licensed per CPU or per instance? These are just a few sample questions that come into play; there are many, many more to consider.
Several years ago, I worked on a server system where we were required to implement license management and enforcement. We used FlexLM from Macrovision. It appears that it is now rolled into a new company and product suite as FlexNet. It was pricey but much better thought out for license management than a hand rolled solution, and, it can span pretty much any server licensing needs.
That said, I very much suggest that you do not approach license compliance in this way. Your customers are not likely to respond well to it, not because they want to cheat you on lincensing but because you are adding extra steps, however minor, to the use of the software that they are licensing. In my experience, much better solutions include simply trusting your customers to abide by the license agreement (as a jboss app I'm assuming you are dealing with corporate customers rather than a more easily "shared" consumer desktop app), include rights to audit via the license agreement, or setup the license so your customer can install at will and pay for licenses in use at specified periods. Your account managers should love having a touch point to ask about new licenses. In my experience with server software, when you make it easy for enterprise customers to expand use of your software, they tend to do so resulting in net positive sales.
Whichever way you go, good luck!
I believe that MAC address restrictions are not a very good idea. First a server may have more than one network card. Second - sometimes network cards fail, and need to be replaced - hence MAC address is changed.
A possibility is to collect some kind of hardware fingerprints of as many components as you can, and then use them to decide if this is the same machine or not. If you allow for some changes changing a single component will not stop the software, but changing 2 or 3 will require your client to contact you, to obtain new license.
Of course the ultimate protection is the so called dongle. There is a nice Software protection dongle article in Wikipedia.
All in all, there is no protection, which cannot be cracked. So whatever you choose, make sure that it does not harm your user, or you can loose more customers by virtue of bad protection mechanism than by unlicensed use.
With Licenses, if you want to crack it you can crack it ;)
That being said,
If you intend to use MAC address to ensure that only only copy of your software is used, be prepared for the following:
You need to support a single license on multiple MAC addresses, this is because customers will usually have multiple NICs and keep one of them active at a time.
You will need to have a super fast customer service. Say your customer plans to transfer this software from one machine to another, then he will ask you for a transfer of license to the new MAC address. If the software is a time critical one then this transfer should happen very fast.
Of course, you can combine solution 1 with Solution 2.
If the customers server, on which you install your software has access to internet, then the best option would be to have a online license renewal, where in your software will renew it's license with your license server. But cost is an issue here, considering all the infrastructure required.
Consider this discussion before decide on license schemes license-scheme
Also this how-are-software-license-keys-generated
And this consideration for License Management
Also JLicense is a simple library to use for simple license management.
Suggestion. Build in an automatic update of functional deficiencies (security patches/bug repairs/optimisations). And then do an ID & IP check.
You need to think about the following questions:
Would your customer breach the license agreement?
Is your customer skilled and could breach the protection?
If both answers are true, there is no chance to protect your software, except you will use a hardware component like a dongle.
If one answer is false, you could use this simple approach:
While installing your software generate an Install-Id on the customer machine using some secret algorythm and store it encrypted in an uncommon secret place on the machine and show it to the customer.
Request the Install-Id from customer and check whether it is really generated with your algorythm.
Generate a License-Key using a second secret algorythm and give it to the customer.
Validate in your software that the License-Key was generated using the Install-Id.
Since the hardware can be replaced you can not use parameters like MAC address, so you have to use something generic like an Install-Id.
The best way is to do this outside software, using the software agreement to place these restrictions. The customer can choose to follow the guidelines and be compliant or not. Chances are, if they're a public company, they're dealing w/ software audits and would rather just pay to be compliant than risk being sued.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I want to sell my Java application using PayPal. When a payment is received, the customer is mailed a one-time download link to my application.
My question is, how do I prevent people from sending the .jar file to their friends/uploading it on the internet?
Obviously I need some kind of check in the application which only allows it to run on one computer. And that's another problem, I don't want a customer to have limitations on one computer, they should be able to run it at home and work etc.
Maybe some kind of cd-key would do the trick? Is there any cd-key resources for Java out there? Or should i build my own algorithm? Here comes yet another problem, reverse engineering..
Please help me solve this :)
The most common way to handle this is: customer gives you money, you generate a unique unlock key and provide that to the customer. The key should be a valid unlock key, and it should encode identification information about the user. Customer uses that key to install on as many of their computers as they like, or is allowed by the license.
Don't worry about reverse-engineering. Your product, if it's at all popular, will be pirated - you'll find unlock keys online if you look hard enough. If you like, you can take that as a compliment - someone liked your software enough to steal it. Cold comfort, I know, but the alternative is to get in an arms race with the pirates, and you won't win that. In the end, a few percent of the population will steal software, and you can't do much about that. You can use the key's identification information, if your scheme is strong enough, to trace who released the key in the first place.
Actually there are a number of license management solutions that can help, but the REAL problem is that all of they can be cracked. I've personally tried the most expensive to the cheapest. Finally I rolled my own, and I check the software's pc details (mac id, etc.) against the recorded details in my server every time the software is run. Because my software is tightly tied to the Internet, it is okay, but I am sure it will be cracked one of these days.
What you probably need is to police the Internet regularly, and find where your software is being pirated, contrary to the popular belief you can actually stop them in most cases. Just serve a DMCA to the downloading website (most of them will comply), and you will be able to get your software removed in about 80% of the cases. I've done and experienced it on my software. Some people do not remove, but I've found that in the 1.5 years I've been doing this, my sales have improved.
I also use a service -- http://spotpiracy.com which helps me find these links apart from my own manual research (i have a guy dedicated to this). :)
Everyone has their own opinion on this subject so expect lots of different advice. Here's my take on it:
1. Obfuscate your code (proguard is recommended)
2. Offer a FREE version with full capabilities for a trial period
3. Use a serial number routine based on the registering users email or other unique info
Overall you will have to accept a certain amount of piracy, but if your application is worthy people will pay for it. Honest people will be honest and copy protection will not make dishonest people honest.
In my opinion, if you don't know exactly how you will protect your source code efficiently, then don't start trying to hash something together yourself based on hardware. It will be too easy to break, and most likely just annoy your customers.
I would sugest you have a look at how Atlassian does this. They happen to sell Java software, and apparently do quite well. http://www.atlassian.com/ Try downloading e.g. JIRA and play with an installation. This will give you a good idea of how their licensing scheme works, and what users can reasonably expect from professional software.
You must implement licensing capabilities.
Here is one interesting resource as a starter: http://members.chello.at/stefan-schneider/JavaLicenseKit.html
In my old c++ days i get in arms to front the piracy using MAC Address code protection, very nice and really no body stole my software uppone the mac address protection because i always force the OS to re-read the real mac avoiding mac overrides. That was on C++ coding having direct access to local resources.
thats not the case today, nither in java applications in which the code is located in .class files that can always being decoded back to the original source code (yes it is possible, and very easy to find tools to do so).
i think, as resume, it is impossible to protect java programs agains piracy. i find no way like the old golden c++ days :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have written a Desktop based accounting software in Java. I want to put a key or licence or other kind of security to prevent redistribution of the software by the client.
I just want to know how to go about it?
The short answer: DRM doesn't stop piracy. It only hurts your paying customers. It doesn't really matter what you do.
The best you can do is set up a simple product-key system, all that really does is makes your application not able to be copied quickly with no work, it doesn't really harm your paying customers but don't expect it to stop anyone who's determined not to pay for your software.
The best thing you can do is make your software good. This gives people incentive to actually purchase it. Also a fair pricing plan helps (There's a reason Adobe / Microsoft software are highly pirated).
First, lets leave alone the commercial/GPL war out of SO and actually answer the OP's question...
I work for a company selling protected Java software. Our software is good. It actually rocks and completely owns the competition's offerings. If users aren't happy with our protection scheme, they can go use the inferior products our competitors are making.
The thing is: we're moving to a more and more networked world. Our software mandates an Internet connection for some functionalities to work correctly (the software will launch without an Internet connection, but not everything will work correctly).
A correctly designed server/client protection scheme, where sufficiently enough processing happens on the server side, cannot be pirated. At one point, it becomes easier to rewrite the software than to try to reproduce what's happening on the server side.
You can think of it this way: nobody ever succeeded playing on the real "World of Warcraft" servers with a pirated or keygen'ed licence (there have been fake servers but that would be missing the point: people playing on rogue servers are not playing in the real economy, which is a massive fail).
Or this way: nobody has pirated GMail. GMail definitely rocks: it's probably the app I use the most (after my IDE). Sure, it's free... But nobody can clone it: nearly everything is happening on the server side.
It is very common in some software circles to have restrictive copy protection in place: it was hardware dongles back in the days now it's mostly server/client scheme. For example there are a lot of very good and very expensive software thare are using the "Flex license manager", including expensive C++ compiler that beat the crap out of anything free (or cheap), which some companies are very happy to shell out big $$$ for and very happy to have the ability to buy such a software (and they don't mind needing an internet connection for the license verification).
So, to answer your question:
I want to put a key or licence or
other kind of security to prevent
redistribution of software by the
client. I just want to know how to go
about it?
Go about it by puttin a client/server key verification in place. Ideally, make part of the computation your desktop software is doing happen on the server side: that gives headaches to wannabe pirates (they either have to pirate your server or to reproduce what the server does, there's simply no other way around it).
Here's a +7 upvotes answer I made to a similar question which gives more detail:
Making commercial Java software (DRM)
For online software, you can request the email address and first and last name from the buyer. You can apply an algorithm on those values to turn them into a large number. You prompt the user to enter the number, and if the calculated number matches what was entered by the user, you store the number and enable the software.
I use Plimus, which is a service that delivers my software and bills the customers for me. I store the key generator on their server, which generates the serial number based on the information from the customer's online order.
For shrink wrapped (off-the-shelf) software, you could still do this, but you'll need some type of online activation mode that basically forces the user to register when they first run it. This allows you to collect the email address and name and send them their serial number. Users typically don't like this. What if your server is down? However, they'll be willing to do it if your software is good enough and you provide decent support to help them with problems registering.
For off the shelf software, typically, some algorithm is used to generate a series of large numbers, each of which matches some algorithm and enables the software. One serial number is packaged with each copy of the software.
In my opinion, the most difficult issue is providing the user the ability to try the software out. You could offer refunds, but you'll need a way to revoke the software. You could have a trial version, but trial software is even harder because you don't want to let them keep using the trial version. It's simpler to create a free (forever) limited version, and the pay version has additional features.
Use of java is tempting to many as it is rapid and does not demand geeklike skills to code. But i dont think you can DRM your apps successfully made in Java. To recover from this mistake start coding with C/C++ from now on.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Is it worth to obfuscate java web application? and why?
No. The code is stored on the server where external users (hopefully) don't have access to it. You may want to obfuscate the JavaScript if you feel it's worth the (minimal) IP protection.
The best thing is so make sure your server security is up to scratch and you don't have open access to your application directories (which shouldn't happen anyway).
IMO, no.
There are two main use-cases for obfuscation:
to protect access control "secrets" (e.g. passwords) embedded in the code, and
to protect against someone stealing your "intellectual property".
The problem is that obfuscation only foils half-hearted attempts at reverse engineering. A serious attempt will always succeed. It is really not that hard to decompile an obfuscated JAR file, and there are lots of tools around for doing it.
For the use-cases above, better alternatives to obfuscation are:
just don't embed secrets in the code, and
one or both of the following:
secure your webservers so that hackers cannot get at the code, and
don't ship the code that you consider to be valuable IP, or if you do, then only ship code to people who have signed a legally binding contract / license agreement that guards your IP rights.
The only scenario where you would obfuscate a java web application is if you gave the code to your customers to run on their servers. Otherwise, it is just a waste of time and an extra complexity.
Obfuscation is for the purpose of making it harder for someone to decompile your byte code and get useful code out of it. To do this, they have to have access to your class files, something that only exists when you deliver them to your customers, not when they access it remotely.
I would add that you should have a good justification, because obfuscation will make debugging harder.
You might find the answers to Do you obfuscate your commercial Java code? relevant.
Is it worth to obfuscate java web application?
It depends
and why?
If you're licensing your web-app to be installed on your customer's site and you don't want your customer to reuse your code by decompiling it*, then it is.
If you're serving your web-app and the installation is available only from you, I would say it is not worth it. Better would be to increase your net security.
* see Stephen C comment
Absolutely yes.
If your development process is correct, only binaries and some support files (markup and stylesheets, for instance) need to be on the server. There's no good reason to not obfuscate binaries in any production environment.
Others here have said that doing so creates problems for staff. The only people that should be aware of or concerned about the contents of your binaries are developers - and they have the source, so they shouldn't be concerned about poking around compiled objects.
The only reason I can see that anyone that doesn't have access to the source would be interested in the contents of binary would be reverse engineering - and no one on your staff should have any interest in reverse engineering your own product, unless they don't have access to the source. That means they either aren't cleared for that code, or you've lost it, which means your source control system either sucks or is missing entirely. That is a completely different conversation.
I've yet to hear any practical examples of server-side obfuscation causing development or administrative difficulties.
Is it a good idea to obfuscate your server side code? I'd give an unqualified YES.
The reality is that the end user is only one group which might have nefarious plans. All too often internal employees, whether they are business users, support staff, etc, might also have their own plans.. or made unwitting accomplices.
If you deal with ANY information which requires a password to access, then you have a duty to leverage every tool at your disposal in order to safeguard that information.
This includes protecting it against both external and internal people. Companies lose both data and intellectual property all of the time due to internal people with too much access. Whether those people purposely stole the information or simply lost control of their computers due to hacker attacks is immaterial.
So, again, yes one step is to obfuscate in the hopes of whoever acquires the binaries has a harder time in figuring out how your application works. Of course, you should go a lot further by securing the servers it lives on; and not just production, but all the way back to source control.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
What is the best way to implement license enforcement in a Java application, so that the application cannot be "distributed" and used without the user purchasing the license?
Take a look at truelicense which is an open source framework for doing just that. If you want to make your own there is some documentation that explains the concepts and you can probably get some good ideas by looking at the code as well.
EDIT:
worth mentioning that it is not a copy-protection scheme
I suggest you don't even attempt to add copy protection. You will just annoy people. You are much more likely to get sales if people like your product. Being petty and treating customers like thieves is not going to help. (Unless the product really sucks, and you have to prevent people from being able to try it before they buy.)
You might want to send a license key the sole purpose of which is to satisfy users that want to receive something for their money. Just add a status somewhere to show whether it has been paid for. The status needs to be reasonably obvious so that it is clear that something has happened (a product I worked on along time ago came on floppy two discs - half of the support calls were because the installer didn't ask for the second [win32s] disc).
There isn't a licensing scheme that I am aware of that is not easily breakable. I will not go into specifics, but as an example, in the Java case if it is done in Java then it can be decompiled (as can C++ or any compiled language, but Java is easier than C++ for instance). If it is done natively then you need native methods, and the DLL/so could be replaced with one that allows access.
For the C/C++ example I know someone who decompiled the CL (Microsoft compiler) to figure out how they do name mangling. All they had was the binary, and they were able to do it with a disassembler and a lot of time.
Don't bother with this type of thing, it annoys honest users and moderately slows down those that want to copy it. Take a look at World of Goo (great game!) and their take on DRM (which is a similar idea to what you are talking about).
The developers of World of Goo found that their product was pirated 90% of the time (they explain how that number could be inaccurate), contrast that to another game that shipped with DRM and was pirated 92% of the time.
If you are talking about legitimate businesses then they want to be in license compliance usually, so ensuring that they are not copying is a waste. If you are talking about people who would not buy the product to begin with, or just don't want to pay for it, you are not really going to alter the number of people that get your software illegally, you will only slow down the first person who gets it - after that the cat is out of the bag.
Personally I think IntelliJ gets it right: fully-featured version for 30 days. You shouldn't be any more restrictive than that.
The "fully featured" part is important. If your unregistered version is so crippled as to be useless, how do you expect people to decide to buy it? They have to try features before they decide they like them and want them but the notion some vendors have that people will buy something on the promise of features they haven't been able to try is ludicrous.
Oracle is at the most liberal end of the spectrum. You can basically download a fully-featured version of their software and just use it. They treat licensing as a social problem and there's a lot of merit to that argument.
You should never nag or otherwise annoy your potential customers (beyond possibly expiring the software after a predetermined period). The most notice you should give is "X expires in N days" on say a splash screen or something.
The other thing you can and should do is provide a low barrier to entry for your software.
Provide a cheap (if not free) academic or personal version. Marketing is also a good idea. By this I mean take IntelliJ: it's offered free to approved open source projects.
As for the technical aspects of enforcement: don't be too concerned about the technical aspects. Never choose any scheme that annoys your users or, worse yet, slows down your software (as some schemes do) or (even worse) violates the security of the user's operating system (eg like the Sony rootkit fiasco). Your enforcement is not meant to be hack-proof. If people want to steal your software they will. The enforcement system is there as a gentle reminder (and nothing more) for a social not a technical problem.
After reading oracle's BCL(which affirmed commercial freedom). I then had a conversation with an oracle representative who said JavaSE is free for commercial use!.