I am new to commercial software development. I am working towards developing 2 versions of a Java based tool.
1) Trial Version (30 Days free use)
2) Full version
As I understand for the trial version the start date has to be recorded in registry or conf file. But I am unable to identify how can I write a Java program which will write a timestamp to registry and conf files.
Can anyone please help me understand how to do so.
Preferences API is what you need.
But going back to your original goal, it is much more difficult to implement such system than just writing your timestamp into the system repository or some other storage.
You need to be sure that:
You are using 'source' of time you can trust to
Nobody can change timestamp you have saved somewhere - you need to sign
it in some way
You need to periodically update timestamp and store it in different places to defend yourself against time rollbacks (so system could say that current time is in past)
In ideal case you need to check license on some licensing server
Even if you are sure about your timestamp source, there is also high chances that your licensing library will be decompiled with JD-GUI and checking code removed.
To make your check strong enough you need:
Use obfuscation for all your system modules (have a look on http://proguard.sourceforge.net)
Keep in mind that someone can just add new dependency in the classpath and affect on your license logic in runtime
Put check method invocation in different places of your system
Use ciphering for all license-related data
Bind license to the particular machine using hardware IDs (CPU's, network devices, etc.)
Encode issuing date into the license by itself
License file need to encrypted with authorised authority key (read about public/private ciphering ) and your system build should be also signed with appropriate key which means that you need to have well defined system build & signing flow
Related
We would like to brand a piece of software based on which customer's website it is downloaded from. E.g. by showing the customer's logo etc. All we need is an ID, the software can handle the rest of the customization at runtime based on that.
The number of customizations is potentially large, and we would like to avoid prebuilding and storing these installers.
I'm open to consider all options, especially some out-of-the-box ideas.
I think it is impossible to change a signed installer (exe/dmg) without breaking the signature.
Some ideas I'm toying with (and their trade-offs):
Store the ID in the installer download filename (Con: Brittle, browsers might change the name or append a suffix to avoid duplicate names)
Ask the user to enter a code shown on the download page (Con: some inconvenience for the user)
Provide a zip with installer and config-file next to it (Con: some users will not manage to unzip, or only unzip the installer without the config file)
On Linux the installer shell script can be modified at download time, as the script cannot be signed.
Set up a server that builds and signs installers on the fly at the time of the download request. To speed this up, it could be yet another installer wrapping the main installer, and it's only task would be to extract and run the main installer with the ID parameter. (Con: complex infrastructure, code signing certificates on the public facing server, very slow for MacOS notarization)
Chromium-based browsers like Google Chrome, Chromium, Opera, Microsoft Edge, etc. save the URL of origin and the referrer URL for all downloaded files on Windows 10 (only on NTFS file systems) and Linux (only on Ext4).
For details see for example here. On Windows the metadata is also accessible from command line or direcly from Java.
There seems to be a similar feature on Mac. See for example this question on superuser.
Accessing this metadata from within your installer could help to customize the behavior of your installer. While the data will not be available in all setups (e.g. Internet Explorer stores only a zone ID and no URL) and may get lost (e.g. a user deletes the data or copies the file to a file system that does not support metadata) it could propably cover the majority of your users. Asking users to enter a code when the metadata is not found could still be used as a fallback.
Main concern I would have with this approach is that the Chromium developers may decide to remove this feature in near future or make it optional, like the developers of wget (see for example here)
On latest Windows 10 I still get the following metadata for a downloaded file with both, latest Google Chrome and Microsoft Edge Browser:
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://httpd.apache.org/
HostUrl=https://mirror.klaus-uwe.me/apache//httpd/httpd-2.4.46.tar.bz2
I hope you're doing well in these complicated times, good containment all around :D
So I come to my problem, currently I'm working on a game in Java and I know that it's possible to modify the jar file of my game which annoys me a little bit because it can give cheating possibilities for malicious players... I had thought of a solution even if it's not infallible, it would be to make sure to check if the jar file has not been modified. But the problem is that I don't know how to check this, I had thought of a system that would check the point of the file even if I doubt it would be the best solution.
If you have any other ideas to secure my game I would be interested :D
It is possible to check if a JAR file on your machine has been modified. Simply compare a cryptographic hash of the current JAR file with a previously recorded hash for a pristine copy. (Or just do a byte-by-byte comparison with the pristine copy.)
But you can't do this for JAR file on the user's machine:
You can't login to the user's machine and access their file system to look at the JAR file. (Even if you could, there is no guarantee that you would see the file that the cheater is actually using.)
If your application (running on the user's machine) tries to report on the integrity of its JAR files, this can be defeated by the cheater. All they need to do is to modify the JAR file containing the reporting code to report a fake hash.
Basically, there is no reliable way to detect that a cheater is running a modified JAR ... apart from detecting the anomalous behavior of the cheat itself.
But think of it this way. If there was a good (reliable, no circumvention) mechanism for detect that a cheater is running a modified client, then cheats would not be a problem in the many online games that exist out there. And (by extension) there would be no way to defeat software license enforcement schemes ... because software vendors would use a similar mechanism.
So, my advice would be not waste too much time on this approach. It only works against people with limited technical expertise or limited motivation.
The only way to completely prevent cheats is to control the platform on which the client runs. That is usually impractical.
In regards to your question about other ideas, the best thing you can do is validate everything from the client. One thing you should always remember is that the client cannot be trusted because you cannot verify anything from it. All you can do is store the state on a remote server and when the client tells you something, validate it, and give a response if necessary or prevent the action if necessary.
You will need to somehow find out where the jar file is: Java - Search for files in a directory
Then you can check for the last modified date of the file: https://www.boraji.com/java-get-last-modified-date-of-a-file
However, I would not consider this a very powerful defense against cheating, because one can modify the jar file and remove the validation of the file date.
You will need to think about the kind of cheating that can occur and to come up with other security measures as well.
EDIT
As Dave Thompson pointed out, the modified timestamp can be changed as well, which makes the modification of the jar file unnecessary, even though reverse engineering is still needed by the hackers, because that's how they find out what the rules of the application are.
I am working on a software license related task , the current validation method requires an online check, against the company server , but since the users can manipulate there system clocks and continue using the software in offline mode , i have been assigned to look for a way to do offline validation clock checks using java , I know there are no bullet proof ways to do this but can anyone please suggest a way to make it hard using an expired license in offline mode . thank you
Have the software know the earliest possible date (based on when that version went into production). If the clock is prior to that date, deny access until the online check succeeds. This requires storing this additional state (that the app is locked out) somewhere on the filesystem. You will probably want to have the app be "locked" if the file is missing to prevent someone from resetting the state simply by removing the file.
Also, when the license check succeeds (either online or offline), note the time. Deny any future access that is prior to that time and deny access until the online check succeeds. This forces time to march forward and if they mess up with their clock re-setting then they are locked out until they succeed with an online check.
When the license check succeeds online, store the server timestamp on the client (the timestamp that is used above to keep time moving forward).
Obviously, you will want to protect the contents of the file that persists this state, e.g., using encryption.
This is not fool-proof, but makes it harder for someone to use expired licenses by twiddling the clock.
Some relevant background:
My application is a Java app compiled into a .exe via JSmooth. The anticipated user base would likely be a few hundred users, but could grow well beyond that, as it's a community specific application.
How it works:
2 .jar files, one that preforms initial checks, another with the meat of the application.
Ideally, the init jar displays the splash, checks the version in desktop.txt against server.txt, if they differ, it prompts the user to update.
What I need to figure out:
1) What is a cheap, scalable hosting service that I could use as the file host for updates?
2) How can I create an "updater" to actually preform the jar replacement? My current solution is simply writing an updater in Java, but I was hoping for something like the installers people are more familiar with.
All of the research I've done has resulted in lackluster results, as 99% of hosting searches result in site hosting results. I just need an update repository with reasonable security. i.e., decent DDoS resistance and not left wide open to the Internet.
Edit: formatting
Easy to do and very foolish cheap with Amazon S3 or Joyent Manta as both support time-limited signed URLs and headers (which can contain a SHA-1 of the file) to check to see if the update is needed before downloading
On startup your app would check the update URL to see if it has changed. If it has changed, download the JARs. Do this before the app loads classes from those JARs. Updating the updater itself will be trickier so consider that an update might need a new update URL to prevent expiry.
I'm trying to find a solution to my problem, which is only applicable in our test environments. I'm working with systems
(banking) depending on each system being on the same specific date. The development we do is solely within system integrations.
In short: Our systems generate the data, which we then adapt between our systems. Naturally, we do not hold the source
codes to the systems we have.
To my specific problem: I have a system(A) running on JBoss: JBoss_4_2_3_GA on Java JRE build 1.6.0_32-b05. I've set up
a messaging broker in WebMethods(WM) listening to a specific port on this system. When users trigger certain events in system(A), JMS
topics are created and sent to a queue. WM then do a few validations and deliver the messages to system(B).
Everything was working properly, up until recently when we noticed that system(B) was expecting a timestamp field being
on the same date as the system itself were in (the functionality we built won’t otherwise work). The problem is that system(A) does not provide such a system date option,
and the timestamp in the messages are "real" timestamps from the operating system (Windows 2008 R2). So I require
a fake date (timestamp) applied in system(A) which would be on the same date as system(B).
The first solution to this problem was simply to disable the NTP sync and set a fake timestamp in Windows running
system(A), which would solve the date issue. But doing this, we noticed that our Windows group policies stopped working,
which affected normal logins to the server. So this was not a solution we could apply.
I know that others have posted this specific issue, and solutions such as using java date alternatives as Joda-Time etc.
I don't see how I can apply mentioned changes into my system(A) due to the lack of source code.
Help/suggestions would be greatfully appreciated. Right now I’m blindly focused into changing the timestamp in Java in system(A). Perhaps there are better alternatives such as just applying the fake date in WM? I just don’t know enough about WM to do this either.
Ok, I finally found a solution to my problem. Since the lack of source code, it was really a hard shot to do anything within the application (Java/JBoss). Searching arcoss forums, I found a nifty little tool (for Windows) called "RunAsDate". This tool does exactly what I need, as it intercepts the API calls to the OS related to dates and times and gives whatever date/timestamp the user chooses!
The best thing is that it doesn't make any changes to the system (dll's), and runs either from the simple GUI (in app package) or called from command line. Of course it will take arguments if required.
I hope others can find this as helpful as I do: http://www.nirsoft.net/utils/run_as_date.html
BR
/rash