Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
We provide per server licenses of our application to your clients. What is the best way of ensuring they're not copied to other servers? It's a JBoss server application. Are MAC address restrictions sufficient enough? A lot of applications restrict by MAC address, but I think it can be faked quite easily.
There are many issues with rolling your own license management software. If you lock to hardware, what happens when a server goes out and your customer wants to migrate to a new machine? Do you support hot standby? Do you support virtualization? Is it licensed per CPU or per instance? These are just a few sample questions that come into play; there are many, many more to consider.
Several years ago, I worked on a server system where we were required to implement license management and enforcement. We used FlexLM from Macrovision. It appears that it is now rolled into a new company and product suite as FlexNet. It was pricey but much better thought out for license management than a hand rolled solution, and, it can span pretty much any server licensing needs.
That said, I very much suggest that you do not approach license compliance in this way. Your customers are not likely to respond well to it, not because they want to cheat you on lincensing but because you are adding extra steps, however minor, to the use of the software that they are licensing. In my experience, much better solutions include simply trusting your customers to abide by the license agreement (as a jboss app I'm assuming you are dealing with corporate customers rather than a more easily "shared" consumer desktop app), include rights to audit via the license agreement, or setup the license so your customer can install at will and pay for licenses in use at specified periods. Your account managers should love having a touch point to ask about new licenses. In my experience with server software, when you make it easy for enterprise customers to expand use of your software, they tend to do so resulting in net positive sales.
Whichever way you go, good luck!
I believe that MAC address restrictions are not a very good idea. First a server may have more than one network card. Second - sometimes network cards fail, and need to be replaced - hence MAC address is changed.
A possibility is to collect some kind of hardware fingerprints of as many components as you can, and then use them to decide if this is the same machine or not. If you allow for some changes changing a single component will not stop the software, but changing 2 or 3 will require your client to contact you, to obtain new license.
Of course the ultimate protection is the so called dongle. There is a nice Software protection dongle article in Wikipedia.
All in all, there is no protection, which cannot be cracked. So whatever you choose, make sure that it does not harm your user, or you can loose more customers by virtue of bad protection mechanism than by unlicensed use.
With Licenses, if you want to crack it you can crack it ;)
That being said,
If you intend to use MAC address to ensure that only only copy of your software is used, be prepared for the following:
You need to support a single license on multiple MAC addresses, this is because customers will usually have multiple NICs and keep one of them active at a time.
You will need to have a super fast customer service. Say your customer plans to transfer this software from one machine to another, then he will ask you for a transfer of license to the new MAC address. If the software is a time critical one then this transfer should happen very fast.
Of course, you can combine solution 1 with Solution 2.
If the customers server, on which you install your software has access to internet, then the best option would be to have a online license renewal, where in your software will renew it's license with your license server. But cost is an issue here, considering all the infrastructure required.
Consider this discussion before decide on license schemes license-scheme
Also this how-are-software-license-keys-generated
And this consideration for License Management
Also JLicense is a simple library to use for simple license management.
Suggestion. Build in an automatic update of functional deficiencies (security patches/bug repairs/optimisations). And then do an ID & IP check.
You need to think about the following questions:
Would your customer breach the license agreement?
Is your customer skilled and could breach the protection?
If both answers are true, there is no chance to protect your software, except you will use a hardware component like a dongle.
If one answer is false, you could use this simple approach:
While installing your software generate an Install-Id on the customer machine using some secret algorythm and store it encrypted in an uncommon secret place on the machine and show it to the customer.
Request the Install-Id from customer and check whether it is really generated with your algorythm.
Generate a License-Key using a second secret algorythm and give it to the customer.
Validate in your software that the License-Key was generated using the Install-Id.
Since the hardware can be replaced you can not use parameters like MAC address, so you have to use something generic like an Install-Id.
The best way is to do this outside software, using the software agreement to place these restrictions. The customer can choose to follow the guidelines and be compliant or not. Chances are, if they're a public company, they're dealing w/ software audits and would rather just pay to be compliant than risk being sued.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm currently developing a commercial Java application, where I'm doing my best to protect it against cracking.
I have couple of thoughts that I wish someone a bit more experienced in the field could help me clearing them.
I'm protecting my software with a Server/Client License System.
Simple explanation of how the License works:
User purchase the software online, and get emailed with hist License Hash.
User download the software, and enters the License Hash provided in the email
Software checks online if the license is used before, if not, mark it as used and link the User's HardwareID to it in the database. Next time user login, the server checks his HWID to the provided License, if not valid kick the user out of the software.
After successfully authenticating, the software downloads and load variables from the server that the software cannot run without.
My software constantly checks the server for variables (step 4) and never loads them all at once.
Communication between Server/Client is made using a secured SSL REST API.
My software is Obfuscated/protected using Proguard.
Is this method good enough as a protection against cracking, if not could you provide some extra tips to make this method better ?
Thanks a lot.
The only 100% proof way against crack is to move the whole business logic to the cloud. If the application is running on the client's computer then it can be cracked. The only question is if your software is interesting enough that hackers will spend time with it.
It sounds like you already use an obfuscator, moved some of the data to the cloud and are obtaining it on-demand. I would say you are already protected against entry level hackers and some "IT specialists". I wouldn't spend more effort on it, if higher level "hackers" want to crack it, they will. No matter what encryption you use, the keys (and the used algorithm as well) will be in your application's memory, so those can be obtained.
Modern DRM tools work by stripping important parts of code (not just variables) from the released binaries, and obtaining them on demand from a server. They try to provide such code for the gaps that will only run on the machine of the specific customer (for example by compiling the code for every different processors on the market, making sure that the code won't run on other models), so collecting all the missing parts for every possible hardware is impractical (or at least takes a long time). But this is hard to achieve using Java.
One more thing you should consider: change the licensing algorithm with every release, and do frequent updates. This way real customers get the new features and bugfixes seamlessly, but people using cracked versions will either have to search for new cracks every time or stuck to the older versions. Eventually some of them may decide to buy the software just to avoid inconvenience.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I have five applications residing on servers. Some of these applications are socket (C/C++) based, others are web based (Java, PHP). I need to give licenses to these applications on the basis of the number of users that can access, the type of functionalities and type of users. What kind of business model should I use? I have a few in mind:
Create a java webservice that will be mounted on a license data, and
all the servers will communicate with it when a user logs in any of
the above applications.
Do a socket based server.
Mount a lisence file on each server and make each one communicate
with its file individually and act as the license rules.
If you have other solutions please shoot.
Regards.
Solution #1 is probably the most elegant solution, as it centralizes all the licensing logic. Any changes can be done in one place. The main drawbacks to a licensing server (as compared to a local license file like #3) are performance and reliance on the availability of the licensing server. If the licensing server goes down, what do you want your applications to do? Block all access? Temporarily allow all access?
I've been there and done that. I'd like to offer some leading questions on each approach.
A key piece of information is why are you trying to prevent unlicensed users from using your software? Is this an application open to the general public? Is this to protect/support sales and contractual obligations? Are your users friendly (might accidentally add new users) or hostile (will intentionally add users they don't have licenses for)?
Do your customers have access to your softwares configuration? To the hardware it runs on?
Create a java webservice that will be mounted on a license data, and
all the servers will communicate with it when a user logs in any of
the above applications.
What happens if the license server is down or slow? Does this prevent logins? Will calling out to the license server on each login slow down the login enough to annoy the users?
Who will maintain this service? Who will add/update licenses?
How will you secure the communication with the license server?
Do a socket based server.
This is the same overall approach as the first option. You should think of this in terms of "I have a remote license server". The protocols and techniques used to communicate with that server are important, but not as important as the overall design.
Mount a lisence file on each server and make each one communicate with
its file individually and act as the license rules.
How will you generate and distribute these license files? Will you/your support team do it or the customer?
How will you secure the license files? A license file with a number in it will do, but is hardly adequate to really enforce licensing restrictions. A signed file is a step better. A cryptographically secured file is best, but may be overkill.
How do I stop someone from copying and duplicating the application i am making in java ? I am using mysql as back-end for my application and the platform is Linux. Is there a way to provide this security ?
EDIT :
Is there a way like in windows where some applications even if we copy the folder and past it into other system it wont work. I don't know how they are doing it. Is there any similar thing that I can do here ?
Alright, here is an alternate answer to my comment.
Don't sell software, sell support.
Implement a simple licensing system tied to an email address.
Only provide support for users with registered email addresses.
For tips on creating that, see Software Licensing System at the OTN. The solutions shown there are crackable, but not by the casual end user.
There is really nothing you can do to stop piracy, as a user must be able to run code on their computer. Some companies have used hardware tokens, but this is expensive for a small developer.
A small step would be to only deliver the class files, and possibly run them through an obfuscator.
Here in an example obfuscater.
http://proguard.sourceforge.net/
Here is a good page on securing java code.
http://www.cs.arizona.edu/~collberg/Research/Students/DouglasLow/obfuscation.html
Is your project open source? If so, then you'll want to use the appropriate licensing. If not, read up on EULAs and consult a lawyer.
There is no way we can prevent users to copy the way you have mentioned.
This is the biggest challenge that all the medium sized product based companies are facing and they are spending quite a lot of time on preventing this.
I aggree with #Milhous & #Andrew Thompson replies
There are several commercial Java licensing systems that do exactly what you need (but you should dig into the details as not all of them are actually multiplatform Java, but have just wrapped a C library).
The standard technique for preventing simple replication of an application on other machines is node-locking, where the application checks at runtime that certain system parameters match the encrypted values on its license. The MAC address is commonly used, but this is not a good choice as it can be set by admins on many systems. I'd recommend using a combination of parameters, such as login name, host name, installation directory and so forth.
The licensing process can be manual for low-volume sales, or automated for higher volume licensing. In the automated approach the license is automatically locked to its host during product activation, transparently to the user. As well as being simple and familiar for the user, modern [product activation][2] systems can both meet your goal of preventing copying, and allowing users to relocate their license to another machine if they wish (whether or not their systems have an Internet connection.
I'm in the middle of trying this myself, but maybe you can configure your program to get the mac address of the computer (that you want it to run on) on first-run. Then have it save it to the registry. Then, in your main method have it get your mac address and match it against that of the registry. (The registry tends to put forward slashes where there are spaces but removing the slashes should get you a match).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I want to sell my Java application using PayPal. When a payment is received, the customer is mailed a one-time download link to my application.
My question is, how do I prevent people from sending the .jar file to their friends/uploading it on the internet?
Obviously I need some kind of check in the application which only allows it to run on one computer. And that's another problem, I don't want a customer to have limitations on one computer, they should be able to run it at home and work etc.
Maybe some kind of cd-key would do the trick? Is there any cd-key resources for Java out there? Or should i build my own algorithm? Here comes yet another problem, reverse engineering..
Please help me solve this :)
The most common way to handle this is: customer gives you money, you generate a unique unlock key and provide that to the customer. The key should be a valid unlock key, and it should encode identification information about the user. Customer uses that key to install on as many of their computers as they like, or is allowed by the license.
Don't worry about reverse-engineering. Your product, if it's at all popular, will be pirated - you'll find unlock keys online if you look hard enough. If you like, you can take that as a compliment - someone liked your software enough to steal it. Cold comfort, I know, but the alternative is to get in an arms race with the pirates, and you won't win that. In the end, a few percent of the population will steal software, and you can't do much about that. You can use the key's identification information, if your scheme is strong enough, to trace who released the key in the first place.
Actually there are a number of license management solutions that can help, but the REAL problem is that all of they can be cracked. I've personally tried the most expensive to the cheapest. Finally I rolled my own, and I check the software's pc details (mac id, etc.) against the recorded details in my server every time the software is run. Because my software is tightly tied to the Internet, it is okay, but I am sure it will be cracked one of these days.
What you probably need is to police the Internet regularly, and find where your software is being pirated, contrary to the popular belief you can actually stop them in most cases. Just serve a DMCA to the downloading website (most of them will comply), and you will be able to get your software removed in about 80% of the cases. I've done and experienced it on my software. Some people do not remove, but I've found that in the 1.5 years I've been doing this, my sales have improved.
I also use a service -- http://spotpiracy.com which helps me find these links apart from my own manual research (i have a guy dedicated to this). :)
Everyone has their own opinion on this subject so expect lots of different advice. Here's my take on it:
1. Obfuscate your code (proguard is recommended)
2. Offer a FREE version with full capabilities for a trial period
3. Use a serial number routine based on the registering users email or other unique info
Overall you will have to accept a certain amount of piracy, but if your application is worthy people will pay for it. Honest people will be honest and copy protection will not make dishonest people honest.
In my opinion, if you don't know exactly how you will protect your source code efficiently, then don't start trying to hash something together yourself based on hardware. It will be too easy to break, and most likely just annoy your customers.
I would sugest you have a look at how Atlassian does this. They happen to sell Java software, and apparently do quite well. http://www.atlassian.com/ Try downloading e.g. JIRA and play with an installation. This will give you a good idea of how their licensing scheme works, and what users can reasonably expect from professional software.
You must implement licensing capabilities.
Here is one interesting resource as a starter: http://members.chello.at/stefan-schneider/JavaLicenseKit.html
In my old c++ days i get in arms to front the piracy using MAC Address code protection, very nice and really no body stole my software uppone the mac address protection because i always force the OS to re-read the real mac avoiding mac overrides. That was on C++ coding having direct access to local resources.
thats not the case today, nither in java applications in which the code is located in .class files that can always being decoded back to the original source code (yes it is possible, and very easy to find tools to do so).
i think, as resume, it is impossible to protect java programs agains piracy. i find no way like the old golden c++ days :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have written a Desktop based accounting software in Java. I want to put a key or licence or other kind of security to prevent redistribution of the software by the client.
I just want to know how to go about it?
The short answer: DRM doesn't stop piracy. It only hurts your paying customers. It doesn't really matter what you do.
The best you can do is set up a simple product-key system, all that really does is makes your application not able to be copied quickly with no work, it doesn't really harm your paying customers but don't expect it to stop anyone who's determined not to pay for your software.
The best thing you can do is make your software good. This gives people incentive to actually purchase it. Also a fair pricing plan helps (There's a reason Adobe / Microsoft software are highly pirated).
First, lets leave alone the commercial/GPL war out of SO and actually answer the OP's question...
I work for a company selling protected Java software. Our software is good. It actually rocks and completely owns the competition's offerings. If users aren't happy with our protection scheme, they can go use the inferior products our competitors are making.
The thing is: we're moving to a more and more networked world. Our software mandates an Internet connection for some functionalities to work correctly (the software will launch without an Internet connection, but not everything will work correctly).
A correctly designed server/client protection scheme, where sufficiently enough processing happens on the server side, cannot be pirated. At one point, it becomes easier to rewrite the software than to try to reproduce what's happening on the server side.
You can think of it this way: nobody ever succeeded playing on the real "World of Warcraft" servers with a pirated or keygen'ed licence (there have been fake servers but that would be missing the point: people playing on rogue servers are not playing in the real economy, which is a massive fail).
Or this way: nobody has pirated GMail. GMail definitely rocks: it's probably the app I use the most (after my IDE). Sure, it's free... But nobody can clone it: nearly everything is happening on the server side.
It is very common in some software circles to have restrictive copy protection in place: it was hardware dongles back in the days now it's mostly server/client scheme. For example there are a lot of very good and very expensive software thare are using the "Flex license manager", including expensive C++ compiler that beat the crap out of anything free (or cheap), which some companies are very happy to shell out big $$$ for and very happy to have the ability to buy such a software (and they don't mind needing an internet connection for the license verification).
So, to answer your question:
I want to put a key or licence or
other kind of security to prevent
redistribution of software by the
client. I just want to know how to go
about it?
Go about it by puttin a client/server key verification in place. Ideally, make part of the computation your desktop software is doing happen on the server side: that gives headaches to wannabe pirates (they either have to pirate your server or to reproduce what the server does, there's simply no other way around it).
Here's a +7 upvotes answer I made to a similar question which gives more detail:
Making commercial Java software (DRM)
For online software, you can request the email address and first and last name from the buyer. You can apply an algorithm on those values to turn them into a large number. You prompt the user to enter the number, and if the calculated number matches what was entered by the user, you store the number and enable the software.
I use Plimus, which is a service that delivers my software and bills the customers for me. I store the key generator on their server, which generates the serial number based on the information from the customer's online order.
For shrink wrapped (off-the-shelf) software, you could still do this, but you'll need some type of online activation mode that basically forces the user to register when they first run it. This allows you to collect the email address and name and send them their serial number. Users typically don't like this. What if your server is down? However, they'll be willing to do it if your software is good enough and you provide decent support to help them with problems registering.
For off the shelf software, typically, some algorithm is used to generate a series of large numbers, each of which matches some algorithm and enables the software. One serial number is packaged with each copy of the software.
In my opinion, the most difficult issue is providing the user the ability to try the software out. You could offer refunds, but you'll need a way to revoke the software. You could have a trial version, but trial software is even harder because you don't want to let them keep using the trial version. It's simpler to create a free (forever) limited version, and the pay version has additional features.
Use of java is tempting to many as it is rapid and does not demand geeklike skills to code. But i dont think you can DRM your apps successfully made in Java. To recover from this mistake start coding with C/C++ from now on.