I made a Java (on IntelliJ IDEA) application and I want to give it to someone via USB or Dropbox.
However I don't want him to give it to someone else, like you know, he downloaded the file, so he can copy/paste it to his USB and give it to more people.
Is there any way to prevent the application from being copied after I give him the application? At first I thought of making a login window, but then I thought "hey, if he knows the password to login to application, he can just give the application to someone and give him the password as well", so login window is not an option (I think?). Can I disable the copy/cut functions with If statements after being copied once?
Or I can only prevent it by linking my application with a database and generating unique passwords to activate my application? Like for example, someone requested to use my application, so I will give him the application but he won't be able to run it. Then I generate a password and sent him the password. However that password can only be used once so if he will try to use the same password on 2 different PCs, it will give him an error. Is there any guide/tutorial/tips of making something like that on Java?
You could create some kind of "activation code" for your software that is generated based on some information about the hardware it's running on. I've seen some people using, for example, the MAC address, that you can obtain in a platform-independent way in Java.
However, keep in mind that those techniques will only work against the most basic users. MAC addresses can be easily changed by anyone that knows how to use Google and even if you use something incredibly complicated instead of MAC addresses, Java programs are dead simple to decompile and once the attacker knows what function is checking if the program is correctly activated, he/she can easily replace it. Yes, you can obfuscate your bytecode, but it only makes the task a little harder, not impossible.
You can do what you suggested and use passwords that can only be used once, but then your program needs to know that it has been activated, by storing that information somewhere (a file or something like that). And once the user knows where that information is stored, it can be replicated on other computers.
Unfortunately, once the user has your program, you have no control over what he/she can do. You can make sure that the user is not going to do stuff he/she is not supposed to do with your program by not giving him/her the program at all. You can, for example, expose your program's features through the web. But, as you said, nothing stops an user from sharing login credentials with another person. Yes, you could check if the user is accessing the page from a different IP address, but then a legitimate user could have problems when, for example, accessing your program from a different wifi network. And in this case, your protection not only fails in solving the problem, but also becomes annoying to a honest user.
In summary, brilliant engineers at huge software companies have been working on protections for their software for years and I'm yet to see a software that cannot be illegally activated given enough time and effort.
Related
I'm trying to find a developer to write a desktop program that has a pretty basic function. It will notify users, via some dialog (or alert) that some program is about to access the web cam. It could be skype or facetime, or whatever it is, the program should be aware of when the OS's camera is going to be accessed and notify the user. Yes, even if the user is initiating the camera themselves via Skype, the notification would still appear.
My question is this. If I need this program written in Java, is it possible? Obviously I am trying to get it done in Java so it would run on Windows and Mac.
If it is not possible, then it seems as though I'd have to write 2 separate programs on Windows and Mac.
I've come here to get suggestions so that I can connect with the right developers. If you have any suggestions, I'd be happy to hear them. Thanks!
No, you can't write this in Java. Whatever approach you take will be very system-specific (and will probably require enhanced privileges). You could write a JNI library and a Java interface, but it'd probably be about the same amount of trouble to write programs to the native UI libraries.
I am creating a client program that talks to a server (which I programmed). I am making a little game for myself in which I roll a dice and the server does also. Whoever gets the higher numbers wins. However within my code, I send the server commands when the user presses a button, and then the server responds by sending back what it rolled, so it can be shown in the GUI window. However, I find this a very insecure method. For example, a person could just simply decompile the jar file, and make it so they always roll a 12. Since the only place that both rolls are together (the users and the servers) is the users screen, I have to evaluate the game from the client, obviously not very secure. I am trying to make my game more secure, and have found 2 options.
Obfuscators
Unless someone knows of a very easy one to use, I cannot figure out how to set any of them up, as they rarely come with a gui that I can easily "pop" my .jar file into
Binding to an .exe
I honestly dont know how secure this is. There are programs in which I can "bind" two things (mostly for making viruses which I am obviously not doing), into a single .exe file. I can bind my .jar into an .exe, but I still dont know if the .exe could be decompiled back into the .jar file and from there back into the .java code.
By the way, another security issue is that it connects to the server from my ip adress (which I do not want the client user to know about)
Never trust client input.
The only truly "secure" method is to have the server generate both its own roll and a roll for the client.
Of course, if the outcome of the comparison of the rolls has no impact beyond what the user sees (in other words, the client does not report back who won), then really, who cares? I could patch Solitaire to let me always win, but that's no fun.
If the code is on someone's computer, you should consider it compromised and exploited already. In the race between crackers and developers, the crackers always win because the crackers have everything they need. Jars can be (easily) decompiled and deobfuscated, .exes can be picked apart, and at extreme levels the OS can be modified to go behind your back - literally.
Instead, you should reconsider your architecture: do you really need the client to roll the dice? Could the server roll both?
Both obfuscation and compiling to a ".exe" can be defeated relatively easily. Hackers / crackers, and anti-virus security experts do this kind of thing every day.
Basically, you cannot trust any application that is running on any machine that could be controlled by someone you don't trust. In practice, this means anything that isn't in your (locked and firewalled) server room.
(Aside: even systems based on TPM are potentially vulnerable, since there have been successful attacks on TPM chips. And that wouldn't be practical anyway, since TPM is not available for securing application-level code. AFAIK, it is not even used at the OS level ... though I've heard that the next version of Windows is going to require hardware that is TPM encumbered.)
In this question's answers someone can find many sites (like ideone) allowing a user to write and run programs online. I'm interested in making something similar (only for Java code though) and was wondering on how can this be done.
A simple idea would be take user's given code, send it to server, compile it, run it and then send back the output to the user. But what if the user has malicious code like deleting my server files, etc.? If I wanted to create the same thing for the C programming language, I guess I could just get the assembly code of the C file, see what system calls are being used and decide whether the given code is malicious or not. Based on the previous idea, should I look in Java, the program's created bytecode? Is there any better/easier way to do it?
Don't reinvent the wheel, Java has the SecurityManager mechanism to restrict potentially malicious code
Reference
the Security Trail of the Java
Tutorial
Permissions in the Java™ SE 6
Development Kit (JDK)
In addition to what Sean Patrick Floyd said in his answer, you could also sandbox the process itself on your Operating System as an added measure. Create a new user on your host (the machine that executes the code) and assign it very few permissions (only what's required to run the code). Run the process as that user.
That way regardless of the SecurityManager present, the spawned process won't be able to harm anything.
I'm building a Java App, and I need to block the hotkeys, like Alt+Tab, Control+Alt+Delete... Basically theses. My application requires this, because it is a control application. If the solution is not possible on java, any one knows another way to do this.
Thanks you!
Edit1: I'm build a "computer manager" that requires a password. If the password is not type or its wrong, the user can't do nothing on computer.
It works like a default login screen view, but with many users. Got it?
Edit2: After users type the password, he can use all (or some, like alt+tab :) these hot keys! Got it? [2]
Generally speaking you can't, because those keys are intercepted by the operating system before they get to Java.
Give us more info about the OS and enviornment you're in and we might be able to come up with workarounds.
I don't think there is an easy, programatic way to do it.
Unless there is some hidden class inside JDK6 I would say that these combinations are handled by the OS (that catches keystrokes in anycase before dispatching them to applications) so your OS will decide what to do wth keystrokes before Java
If something exists, then it's a hack unrelated with Java but more with registry or similar things :)
One of the whole points of CTRL-ALT-DELETE is that it specifically wants to prevent applications from overriding their functionality. If that were not the case then anybody could write an app that brought itself up when CTRL-ALT-DELETE was pressed and either made itself look like the 'change password' app or the screen saver. Either case would allow the app to steal passwords from people.
I'm currently developing a support system for a university. The system is written in PHP and I would like to be able to get a current list of software and basic computer information on a computer. Basically when one of the faculty or staff creates a ticket from our web interface, I would like to have a Java Applet or similar that could be run and would return the information to the help desk PHP script. Does something like this exist?
There are lots of programs that do this sort of thing. Googling for "CMDB" should give you a reasonable start -- a couple of them are open source, though others aren't even close to free (e.g., BMC Atrium).
To keep things closer to topical (i.e., programming related), one of the main frameworks for this sort of situation is called Web-Based Enterprise Management (WBEM). On Windows this is implemented as WMI. On Linux there are a couple of implementations including OpenWBEM and HP WBEM.
In Java? You'd probably have a hard time even finding, let alone making, an applet that can get that info without already having some software installed on the user's end. The biggest features of java are (1) that it runs in a virtual machine (read: getting to the underlying OS/hardware is not something it likes to do), and (2) that in a browser, applets generally run in a "sandbox" that keeps the applet from doing anything remotely dangerous. Basically the most it can do is tie up resources.
Number 2 can be worked around by signing the applet, but that'll require you either buy a code signing certificate or install a self-signed certificate on any computer that'll run your app.
Number 1 might be worked around with some help from Runtime.exec and ...\wmic.exe, but that assumes the WMI stuff is installed -- which is rarely the case unless someone does a full install.