As this is my first time working on a solo Java project that would generate income from direct sales (meaning I would sell the product instead of a third party platform).
I was curious as to the following: How does a developer make a product that the client who purchases the product cannot be simply pass onwards to other potential clients?
I realize that there are always ways to bypass any sort of security that a developer can put into their project however seeing that my product will be run localy(.exe or jar file) there is no way for me to monitor what my client is doing after I sell the product. Is there a way to put some sort of "illusionarly wall" that someone without more advanced knowledge cannot bypass?
Any tips, suggestion or references are greatly appreciated.
CodePudding user response:
All the software i bought for my pc has to be registered once with a license key via internet or has a usb licenser. So maybe this are some ideas something for you. The disadvantages, running a server for product registration or sending an usb-licenser to the costumer. But i'm interested if there are any other solutions
CodePudding user response:
I have a server. Some actions within some of my apps will call to the server with some status info. So I know who uses my software. This is plainly stated in the contracts, so no secret stuff.
If I want to limit my software, I do the following:
- when my app starts, it collects some system infos and hashes/CRCs them
- if there's a matching file, whose contents match the system infos hash, I unlock the app
- if there's no such file, or the hash inside it does not match (different system, manipulated, etc) I will (re-)register
- registering is either done
-
- by showing the client the hash, forcing him to call/email me, or
-
- the app connects to my server, checks registration infos, shows the page, and then forces user to pay, or unlocks, depending on some other infos i gathered.
- on the server side (or manually) I create a key matching the system info hash key
- that key gets back into the app (internet or typed manually) and the app checks if that new code matches its system info hash
- if keys match, write key to file, and unlock the app
2 downsides:
- java is really easy to reverse-engineer:
-
- someone could create a hash generator and create the missing/wrong system info hash file
-
- if you connect through the internet, you should use SSL/TLS, because in other cases, someone could just reverse-engineer (telnet) the answer the app needs to unlock
-
- a good method to prevent reversen-engineering or to make it a lot lot harder is to create pure .exe/elf files. GraalVM native-image is one of those tools that can accomplish such feats. (only using an exe wrapper is rather pointless when it comes to code security, but i good for users)
- whenever the client changes things in his hardware, he has to register/reconnect again