Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I want to sell my Java application using PayPal. When a payment is received, the customer is mailed a one-time download link to my application.
My question is, how do I prevent people from sending the .jar file to their friends/uploading it on the internet?
Obviously I need some kind of check in the application which only allows it to run on one computer. And that's another problem, I don't want a customer to have limitations on one computer, they should be able to run it at home and work etc.
Maybe some kind of cd-key would do the trick? Is there any cd-key resources for Java out there? Or should i build my own algorithm? Here comes yet another problem, reverse engineering..
Please help me solve this :)
The most common way to handle this is: customer gives you money, you generate a unique unlock key and provide that to the customer. The key should be a valid unlock key, and it should encode identification information about the user. Customer uses that key to install on as many of their computers as they like, or is allowed by the license.
Don't worry about reverse-engineering. Your product, if it's at all popular, will be pirated - you'll find unlock keys online if you look hard enough. If you like, you can take that as a compliment - someone liked your software enough to steal it. Cold comfort, I know, but the alternative is to get in an arms race with the pirates, and you won't win that. In the end, a few percent of the population will steal software, and you can't do much about that. You can use the key's identification information, if your scheme is strong enough, to trace who released the key in the first place.
Actually there are a number of license management solutions that can help, but the REAL problem is that all of they can be cracked. I've personally tried the most expensive to the cheapest. Finally I rolled my own, and I check the software's pc details (mac id, etc.) against the recorded details in my server every time the software is run. Because my software is tightly tied to the Internet, it is okay, but I am sure it will be cracked one of these days.
What you probably need is to police the Internet regularly, and find where your software is being pirated, contrary to the popular belief you can actually stop them in most cases. Just serve a DMCA to the downloading website (most of them will comply), and you will be able to get your software removed in about 80% of the cases. I've done and experienced it on my software. Some people do not remove, but I've found that in the 1.5 years I've been doing this, my sales have improved.
I also use a service -- http://spotpiracy.com which helps me find these links apart from my own manual research (i have a guy dedicated to this). :)
Everyone has their own opinion on this subject so expect lots of different advice. Here's my take on it:
1. Obfuscate your code (proguard is recommended)
2. Offer a FREE version with full capabilities for a trial period
3. Use a serial number routine based on the registering users email or other unique info
Overall you will have to accept a certain amount of piracy, but if your application is worthy people will pay for it. Honest people will be honest and copy protection will not make dishonest people honest.
In my opinion, if you don't know exactly how you will protect your source code efficiently, then don't start trying to hash something together yourself based on hardware. It will be too easy to break, and most likely just annoy your customers.
I would sugest you have a look at how Atlassian does this. They happen to sell Java software, and apparently do quite well. http://www.atlassian.com/ Try downloading e.g. JIRA and play with an installation. This will give you a good idea of how their licensing scheme works, and what users can reasonably expect from professional software.
You must implement licensing capabilities.
Here is one interesting resource as a starter: http://members.chello.at/stefan-schneider/JavaLicenseKit.html
In my old c++ days i get in arms to front the piracy using MAC Address code protection, very nice and really no body stole my software uppone the mac address protection because i always force the OS to re-read the real mac avoiding mac overrides. That was on C++ coding having direct access to local resources.
thats not the case today, nither in java applications in which the code is located in .class files that can always being decoded back to the original source code (yes it is possible, and very easy to find tools to do so).
i think, as resume, it is impossible to protect java programs agains piracy. i find no way like the old golden c++ days :)
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm currently developing a commercial Java application, where I'm doing my best to protect it against cracking.
I have couple of thoughts that I wish someone a bit more experienced in the field could help me clearing them.
I'm protecting my software with a Server/Client License System.
Simple explanation of how the License works:
User purchase the software online, and get emailed with hist License Hash.
User download the software, and enters the License Hash provided in the email
Software checks online if the license is used before, if not, mark it as used and link the User's HardwareID to it in the database. Next time user login, the server checks his HWID to the provided License, if not valid kick the user out of the software.
After successfully authenticating, the software downloads and load variables from the server that the software cannot run without.
My software constantly checks the server for variables (step 4) and never loads them all at once.
Communication between Server/Client is made using a secured SSL REST API.
My software is Obfuscated/protected using Proguard.
Is this method good enough as a protection against cracking, if not could you provide some extra tips to make this method better ?
Thanks a lot.
The only 100% proof way against crack is to move the whole business logic to the cloud. If the application is running on the client's computer then it can be cracked. The only question is if your software is interesting enough that hackers will spend time with it.
It sounds like you already use an obfuscator, moved some of the data to the cloud and are obtaining it on-demand. I would say you are already protected against entry level hackers and some "IT specialists". I wouldn't spend more effort on it, if higher level "hackers" want to crack it, they will. No matter what encryption you use, the keys (and the used algorithm as well) will be in your application's memory, so those can be obtained.
Modern DRM tools work by stripping important parts of code (not just variables) from the released binaries, and obtaining them on demand from a server. They try to provide such code for the gaps that will only run on the machine of the specific customer (for example by compiling the code for every different processors on the market, making sure that the code won't run on other models), so collecting all the missing parts for every possible hardware is impractical (or at least takes a long time). But this is hard to achieve using Java.
One more thing you should consider: change the licensing algorithm with every release, and do frequent updates. This way real customers get the new features and bugfixes seamlessly, but people using cracked versions will either have to search for new cracks every time or stuck to the older versions. Eventually some of them may decide to buy the software just to avoid inconvenience.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have written a Desktop based accounting software in Java. I want to put a key or licence or other kind of security to prevent redistribution of the software by the client.
I just want to know how to go about it?
The short answer: DRM doesn't stop piracy. It only hurts your paying customers. It doesn't really matter what you do.
The best you can do is set up a simple product-key system, all that really does is makes your application not able to be copied quickly with no work, it doesn't really harm your paying customers but don't expect it to stop anyone who's determined not to pay for your software.
The best thing you can do is make your software good. This gives people incentive to actually purchase it. Also a fair pricing plan helps (There's a reason Adobe / Microsoft software are highly pirated).
First, lets leave alone the commercial/GPL war out of SO and actually answer the OP's question...
I work for a company selling protected Java software. Our software is good. It actually rocks and completely owns the competition's offerings. If users aren't happy with our protection scheme, they can go use the inferior products our competitors are making.
The thing is: we're moving to a more and more networked world. Our software mandates an Internet connection for some functionalities to work correctly (the software will launch without an Internet connection, but not everything will work correctly).
A correctly designed server/client protection scheme, where sufficiently enough processing happens on the server side, cannot be pirated. At one point, it becomes easier to rewrite the software than to try to reproduce what's happening on the server side.
You can think of it this way: nobody ever succeeded playing on the real "World of Warcraft" servers with a pirated or keygen'ed licence (there have been fake servers but that would be missing the point: people playing on rogue servers are not playing in the real economy, which is a massive fail).
Or this way: nobody has pirated GMail. GMail definitely rocks: it's probably the app I use the most (after my IDE). Sure, it's free... But nobody can clone it: nearly everything is happening on the server side.
It is very common in some software circles to have restrictive copy protection in place: it was hardware dongles back in the days now it's mostly server/client scheme. For example there are a lot of very good and very expensive software thare are using the "Flex license manager", including expensive C++ compiler that beat the crap out of anything free (or cheap), which some companies are very happy to shell out big $$$ for and very happy to have the ability to buy such a software (and they don't mind needing an internet connection for the license verification).
So, to answer your question:
I want to put a key or licence or
other kind of security to prevent
redistribution of software by the
client. I just want to know how to go
about it?
Go about it by puttin a client/server key verification in place. Ideally, make part of the computation your desktop software is doing happen on the server side: that gives headaches to wannabe pirates (they either have to pirate your server or to reproduce what the server does, there's simply no other way around it).
Here's a +7 upvotes answer I made to a similar question which gives more detail:
Making commercial Java software (DRM)
For online software, you can request the email address and first and last name from the buyer. You can apply an algorithm on those values to turn them into a large number. You prompt the user to enter the number, and if the calculated number matches what was entered by the user, you store the number and enable the software.
I use Plimus, which is a service that delivers my software and bills the customers for me. I store the key generator on their server, which generates the serial number based on the information from the customer's online order.
For shrink wrapped (off-the-shelf) software, you could still do this, but you'll need some type of online activation mode that basically forces the user to register when they first run it. This allows you to collect the email address and name and send them their serial number. Users typically don't like this. What if your server is down? However, they'll be willing to do it if your software is good enough and you provide decent support to help them with problems registering.
For off the shelf software, typically, some algorithm is used to generate a series of large numbers, each of which matches some algorithm and enables the software. One serial number is packaged with each copy of the software.
In my opinion, the most difficult issue is providing the user the ability to try the software out. You could offer refunds, but you'll need a way to revoke the software. You could have a trial version, but trial software is even harder because you don't want to let them keep using the trial version. It's simpler to create a free (forever) limited version, and the pay version has additional features.
Use of java is tempting to many as it is rapid and does not demand geeklike skills to code. But i dont think you can DRM your apps successfully made in Java. To recover from this mistake start coding with C/C++ from now on.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Is it worth to obfuscate java web application? and why?
No. The code is stored on the server where external users (hopefully) don't have access to it. You may want to obfuscate the JavaScript if you feel it's worth the (minimal) IP protection.
The best thing is so make sure your server security is up to scratch and you don't have open access to your application directories (which shouldn't happen anyway).
IMO, no.
There are two main use-cases for obfuscation:
to protect access control "secrets" (e.g. passwords) embedded in the code, and
to protect against someone stealing your "intellectual property".
The problem is that obfuscation only foils half-hearted attempts at reverse engineering. A serious attempt will always succeed. It is really not that hard to decompile an obfuscated JAR file, and there are lots of tools around for doing it.
For the use-cases above, better alternatives to obfuscation are:
just don't embed secrets in the code, and
one or both of the following:
secure your webservers so that hackers cannot get at the code, and
don't ship the code that you consider to be valuable IP, or if you do, then only ship code to people who have signed a legally binding contract / license agreement that guards your IP rights.
The only scenario where you would obfuscate a java web application is if you gave the code to your customers to run on their servers. Otherwise, it is just a waste of time and an extra complexity.
Obfuscation is for the purpose of making it harder for someone to decompile your byte code and get useful code out of it. To do this, they have to have access to your class files, something that only exists when you deliver them to your customers, not when they access it remotely.
I would add that you should have a good justification, because obfuscation will make debugging harder.
You might find the answers to Do you obfuscate your commercial Java code? relevant.
Is it worth to obfuscate java web application?
It depends
and why?
If you're licensing your web-app to be installed on your customer's site and you don't want your customer to reuse your code by decompiling it*, then it is.
If you're serving your web-app and the installation is available only from you, I would say it is not worth it. Better would be to increase your net security.
* see Stephen C comment
Absolutely yes.
If your development process is correct, only binaries and some support files (markup and stylesheets, for instance) need to be on the server. There's no good reason to not obfuscate binaries in any production environment.
Others here have said that doing so creates problems for staff. The only people that should be aware of or concerned about the contents of your binaries are developers - and they have the source, so they shouldn't be concerned about poking around compiled objects.
The only reason I can see that anyone that doesn't have access to the source would be interested in the contents of binary would be reverse engineering - and no one on your staff should have any interest in reverse engineering your own product, unless they don't have access to the source. That means they either aren't cleared for that code, or you've lost it, which means your source control system either sucks or is missing entirely. That is a completely different conversation.
I've yet to hear any practical examples of server-side obfuscation causing development or administrative difficulties.
Is it a good idea to obfuscate your server side code? I'd give an unqualified YES.
The reality is that the end user is only one group which might have nefarious plans. All too often internal employees, whether they are business users, support staff, etc, might also have their own plans.. or made unwitting accomplices.
If you deal with ANY information which requires a password to access, then you have a duty to leverage every tool at your disposal in order to safeguard that information.
This includes protecting it against both external and internal people. Companies lose both data and intellectual property all of the time due to internal people with too much access. Whether those people purposely stole the information or simply lost control of their computers due to hacker attacks is immaterial.
So, again, yes one step is to obfuscate in the hopes of whoever acquires the binaries has a harder time in figuring out how your application works. Of course, you should go a lot further by securing the servers it lives on; and not just production, but all the way back to source control.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I would like to say upfront that i am not a programmer. I'm 1 of 3 partners in a small start up. Two of us have a business and sales background, whilst the third guy is a very experienced Java Programmer/engineer (and a good friend).
As with most start ups we believe we'll be the next big website. We have found a opportunity that the "Long Tail" really describes well. By this i mean a product range that isn't currently being tapped into online. As with Amazon, our model is about offering every available product within the niche. Through the availability of everything outside the fast selling products, we hope to become best website for the niche.
We have placed a lot of focus on building the business/technology system that allows us to build our inventory information very quickly. This was because we knew that the size of our inventory would make or break our usefulness to end users.
So now i come to the problem that prompted me to seek your help.... (please help)... :)
In my (non-technical business) mind, we now have the ability to build our inventory quickly. This is just the start though, as a business we also need the following solutions before making money:
A shopping cart application to
allow buyers to search our inventory,
communicate with our business and
make orders etc.
A CRM application would then
allow the effective management
of customers and orders.
I found my way to Magento and SugarCRM both of which appear to be very impressive. The idea being to use Magento for the buyers (search,buy,interact etc) and Sugar for our staff (order processing, customer service etc).
In my mind the long term rewards of being able to update these core applications from the communities, would far outweigh the steep learning curve. Not to mention the time/money that would be required to even attempt to catch up with what already is stable and tested....
My friend and business partner is unwilling to consider anything in PHP and to a large degree opensource. He's of the belief it would be best to start from scratch.
From a language agnostic business person (non-programmer) - any opinions or advise on our situation would be much appreciated...
I'm keen to find a way of us unlocking horns, either way... I just struggle to see any strong value in Re-inventing the wheel....
Thanks in advance,
Guy
Thanks for the replies so far and the link, i'll go there in a minute. Here's some answers:
Our stock is currently held across 30+ different branches. Which means that we'd need a way for each branch to sign in and manage their own customers.
From our operational point of view, these seem to be the key challenges outside standard :
1) Our business has regions and each region has branches. In order for us to focus the various management levels of the business, it would be ideal if each management level could see the business relevant to them. For example National manager (can see everything), Regional manager (can see all branches in his region), Branch manager (can see everything for his branch with certain admin rights) and Customer service (can see everything in their branch with minimal rights). This is the only way we can have one umbrella site, which can be serviced by staff in branches nationally.
2) Over and above managing orders, it also makes sense that the messages are managed centrally through the application. This way any member of staff can easily see the past history with the customer and assist. I'm thinking that the questions would almost always come in through "Ask a question about this product" link, so incoming messages could be routed to the branch who has the part. If it's aftersales, then the branch who sold it. For general questions through contact us, we'll allocate a member of staff at head office.
3) I think it would be appropriate to show buyers upfront on the product page which branch has the part and the branch information.
4) Total inventory size is currently over 300,000 products. The business plan is to rapidly increase this to 10 times that figure.
5) The products are spare parts. Therefore the buyer would need to search by the orignal product that the parts fits... Each part can often be used on various products.
The answer to this is very difficult, largely due to the fact that not all of your requirements are present. What size is your business going to be? Do you plan on expanding quickly? Do you have specialized requirements? What are those requirements? Answers to questions such as these need to be hashed out.
Now, I need to make a few quick points. There can be a tendency for developers to choose a technology they are comfortable with while disregarding the better choice. There is also a tendency for developers to also want to develope from scratch. This said, if your developer is truelly experienced he will have a good idea of what to use, what to resuse, and what to develope from scratch. You should also take note that this is not an all or nothing sort of situation, and you can blend opensource and homebrew.
My suggestion to you: If you are none technical and your startup is just a few people, this means your one Technologist is essentially your Chief Technology Officer. You need to allow him freedom of choosing technologies and developing his technical plans. This doesn't mean you can't be part of the planning process, but picking specfic technologies is in the realm of his expertise, and you should give him room to move. There could be very good reasons for not using PHP. If you can't trust your CTO to make these decisions you need a new CTO. Edit: --Or you need to start trusting him.
Is your friend experienced at all with running a business?
If not, he may not realize the basic truth:
If something is your core competence, strategically, do it in-house. E.g. you posess the staff who can do it better AND cheaper (however you mesh the two) than competing solutions. E.g. if your friend has extensive experience developing such types of software, or has a working prototype already that fits your needs, or is Jon Skeet and can develop a CRM application fully born from his head between lunch and dinner.
If something is your marginal advantage, do it in-house. E.g. if your friend has ideas on features that would give you a leg up on competition AND can not be easily replicated by competitors. If he merely has a brilliant new widget for a web site that any half-competent developer can clone in 3 weeks, it's not worth it.
Otherwise, do NOT do it in-house. You will waste your businesses' resources on something that gives you no advantage over competitors.
This is not related, in any way shape or form, to PHP and open source.
If you can't develop a qualitatively better solution that will strategically (long term) outperform the opensource solution your competitors use, your software will be a marginal cost to the business, not marginal benefit.
Sadly, the only one who can answer the last question is the technical guy, and he may be, like all techies, biased towards homegrown stuff. So as someone in the other response said, you need to trust his judgement or get someone whose judgement you trust, friend or not.
Nut be sure the question he is answering is the right question -- the one in bold 2 paragraphs above
Hope this clarifies somewhat.
Is there anything about your business model that custom technology is a strategic advantage or core competency? Is there anything special about the products you are selling that require the web site to be any different than any of hundreds of different types of existing online ecommerce sites?
You haven't yet shown anything which would lead me to believe you need custom programming for anything.
This might not go down well with your Java programmer friend, but until you show some kind of differentiating need, wouldn't commercial-off-the-shelf (even hosted) systems meet your needs?
This kind of question might be better off at http://answers.onstartups.com/
After reading your further specifications - they are fairly complex but not that far outside other businesses, I think you need to do a thorough evaluation of the COTS products out there with your technologist with a completely open mind.
The "wheel" you're talking about isn't round. It's as lumpy and pointy and oddly shaped as your business requirements are. If your business requirements are the same as those of other Magento and Sugar CRM users, and will be for the next five years, then they may be great products for you. Then you just need to figure out how to fire your friend, who will not be the best person to maintain those applications.
Or you may need heavy customization, need or anticipate special features not already found in those applications, or want to continue working with your friend. If so, then perhaps you should defer to to your expert friend on technical, programming related decisions, while he leaves sales and financing decisions up to you.
I think some of the answers here are made under the assumption that open source development cannot be branched, it can. You can branch development from Magento, and add new concepts & modules specific to your business. Magneto in fact already has a system in place for doing this. Magento's weakest point is it is not well documented (but is your homebrew system really going to be documented better???)
Regarding #5 the spare parts search - shameless plug - part search extension for magento
Being able to understand, maintain, develop and have control over own technology is very much a business requirement and a very important one. And here you have to trust and respect the opinion of the most technologically experienced member of your team. Either this or look for a new partner.
It sounds as if you have a very ambitious business plan and you’ll need more than 3 persons to put it into life, perhaps you could hire some PHP or Java gurus? Sanitizing 300K+ product descriptions and entering them into the system is going to be a challenge on its own, in addition to setting up the system, failover, testing, customisation (even if you started off with a OSS product) etc.
Are you sure you’ve really got the necessary resource to go that big that quick and still achieve a service of satisfactory quality? Would your business plan still work at a much slower pace or does it rely on the ability to set up a massive operation very early to grab the land?
Another person who understands technology well on the board level could have been beneficial, since your friend needs to cover a lot of ground to set up all the systems necessary for trading and possibly could make use of some help.
Answering your question: PHP and Java are two different universes, and imposing a requirement of learning PHP on your friend will just make the enterprise even more technologically risky. And since your friend doesn't seem to be comfortable with the idea will simply not work.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
What is the best way to implement license enforcement in a Java application, so that the application cannot be "distributed" and used without the user purchasing the license?
Take a look at truelicense which is an open source framework for doing just that. If you want to make your own there is some documentation that explains the concepts and you can probably get some good ideas by looking at the code as well.
EDIT:
worth mentioning that it is not a copy-protection scheme
I suggest you don't even attempt to add copy protection. You will just annoy people. You are much more likely to get sales if people like your product. Being petty and treating customers like thieves is not going to help. (Unless the product really sucks, and you have to prevent people from being able to try it before they buy.)
You might want to send a license key the sole purpose of which is to satisfy users that want to receive something for their money. Just add a status somewhere to show whether it has been paid for. The status needs to be reasonably obvious so that it is clear that something has happened (a product I worked on along time ago came on floppy two discs - half of the support calls were because the installer didn't ask for the second [win32s] disc).
There isn't a licensing scheme that I am aware of that is not easily breakable. I will not go into specifics, but as an example, in the Java case if it is done in Java then it can be decompiled (as can C++ or any compiled language, but Java is easier than C++ for instance). If it is done natively then you need native methods, and the DLL/so could be replaced with one that allows access.
For the C/C++ example I know someone who decompiled the CL (Microsoft compiler) to figure out how they do name mangling. All they had was the binary, and they were able to do it with a disassembler and a lot of time.
Don't bother with this type of thing, it annoys honest users and moderately slows down those that want to copy it. Take a look at World of Goo (great game!) and their take on DRM (which is a similar idea to what you are talking about).
The developers of World of Goo found that their product was pirated 90% of the time (they explain how that number could be inaccurate), contrast that to another game that shipped with DRM and was pirated 92% of the time.
If you are talking about legitimate businesses then they want to be in license compliance usually, so ensuring that they are not copying is a waste. If you are talking about people who would not buy the product to begin with, or just don't want to pay for it, you are not really going to alter the number of people that get your software illegally, you will only slow down the first person who gets it - after that the cat is out of the bag.
Personally I think IntelliJ gets it right: fully-featured version for 30 days. You shouldn't be any more restrictive than that.
The "fully featured" part is important. If your unregistered version is so crippled as to be useless, how do you expect people to decide to buy it? They have to try features before they decide they like them and want them but the notion some vendors have that people will buy something on the promise of features they haven't been able to try is ludicrous.
Oracle is at the most liberal end of the spectrum. You can basically download a fully-featured version of their software and just use it. They treat licensing as a social problem and there's a lot of merit to that argument.
You should never nag or otherwise annoy your potential customers (beyond possibly expiring the software after a predetermined period). The most notice you should give is "X expires in N days" on say a splash screen or something.
The other thing you can and should do is provide a low barrier to entry for your software.
Provide a cheap (if not free) academic or personal version. Marketing is also a good idea. By this I mean take IntelliJ: it's offered free to approved open source projects.
As for the technical aspects of enforcement: don't be too concerned about the technical aspects. Never choose any scheme that annoys your users or, worse yet, slows down your software (as some schemes do) or (even worse) violates the security of the user's operating system (eg like the Sony rootkit fiasco). Your enforcement is not meant to be hack-proof. If people want to steal your software they will. The enforcement system is there as a gentle reminder (and nothing more) for a social not a technical problem.
After reading oracle's BCL(which affirmed commercial freedom). I then had a conversation with an oracle representative who said JavaSE is free for commercial use!.