protect Java Application by licence or key
35,238
Solution 1
This depends entirely on how secure you want to make it...
The problem with Java is that you can reverse compile it. So if someone wanted to, they could download your software, reverse compile it, and then remove whatever security you have put in place (and then redistribute it if they wanted).
This is only a problem if you plan on going mass market and selling it and piracy would actually be a problem though.
If you're not concerned about this, then you can either go for online, or offline checking.
The company I work with uses the online method; there are a few steps:
EDIT: I've since changed how this works, as the old way was a maintenance nightmare.
- A license file
- (this can contain whatever you want in reality, it just has to be unique per user. Most people normally go with general garb;
namecompanyemail- and then a
key. i.e. theJDU8-AJS9-88DF-SASF-ASF9kind of thing you often see.
- The program generates a hash from the license file.
- put all the data from the license file into a string
- pass the string to a hashing function this page can show you how.
- have the program check online (on your server). The data gets encoded in an HTML request (post/get/json/whatever you want) and submitted to your license verification page, which then verifies the data. Included in the data is a randomly generated string, which is used by the verification page to generate another password. This is then returned to the program, which has also used the random string to generate its own password. If the two match, the program starts up.
To generate the keys, just use the same hashing function, and then upload the hash to your server.
If you want it to be offline, you could include the hashes in the code I guess and check against them there.
I should point out, however, that I'm not a security expert by any means, I just develop for a company as a portion of a Ph.D. and this is just how I did it.
Edit: this image might be helpful:
Second Edit:
I have now included "offline verification" in the process. It's not really offline verification, it just uses the user as a proxy - they need to access the internet another way.
it works like this:
- no internet connection found: supply the user with a 4 digit code
- user goes to offline verification page (optimized for mobile use too)
- user selects which software they use from the dropdown list
- user enters their username (this field remembers entries)
- user enters the code the program gave them and submits
- webpage provides a 4 digit code, which they then enter into the program, and it starts.
- program adds some special data to the license file meaning that this process won't need to be repeated for the next week/month/however long.
every time the program successfully verifies online, it also adds an offline access password to the license file, which means it's robust against temporary internet downtime, and will only stop working if the internet is down for more than a week/month/however long it's set up to work for.
Solution 2
You can track licencing of a machine with macIP on online . Even in windows you can write in registry there is no api but still you can do it. Find snippet bellow to read registry -
public static final String readRegistry(String location, String key){
try {
// Run reg query, then read output with StreamReader (internal class)
Process process = Runtime.getRuntime().exec("reg query " +
'"'+ location + "\" /v " + key);
StreamReader reader = new StreamReader(process.getInputStream());
reader.start();
process.waitFor();
reader.join();
String output = reader.getResult();
// Output has the following format:
// \n<Version information>\n\n<key>\t<registry type>\t<value>
if( ! output.contains("\t")){
return null;
}
// Parse out the value
String[] parsed = output.split("\t");
return parsed[parsed.length-1];
}
catch (Exception e) {
return null;
}
}
And in class level if you want to obfuscate use proGuard .
Author by
Ahmed Aswani
I am JAVA Developer,big fan of Linux love to Help
Updated on November 15, 2020Comments
-
Ahmed Aswani over 3 years
I want to make an desktop application that only runs on machines that have key or licence. How this can be achieved?
-
Paul Taylor over 11 yearsI dont quite get it, When a user makes a purchase do you provide them with a license file containing the hashed licensekey using information they provide at purchase time. or do you just create a key and then the user enters this and the other information into the propgram and it generates a license file then on first run.
-
will over 11 years@PaulTaylor when someone makes a purchase, we email them back their license details (to confirm them with them). When you start the program, it looks for the license file. It then concatenates the data in the file and passes the resulting string through a hash function - if this hash matches the hash we have for their license key on our servers then it starts, otherwise it prompts you to fill in a form. Then it creates the license file that goes through the hash in the future.
-
Tomas Bisciak about 10 years@will what exactly shoud server return in response? boolean? some kind of key?
-
will about 10 years@TomasBisciak If you have it returning jsut a boolean, it will be very easy for people to just edit their hosts file (on windows at least) and have small server running that always returns true. Have it return some kind of specific password generated from a random key you send it. I.e. in the data you send, include a random string, then hash it and send back the hash. Then check the hashes match.
-
Tomas Bisciak about 10 years@will Thank you for response.Bud that still seems a littlebit unsecure.Is there any layer of protection that woud be helpfull in addition to this security setup?Becaose verifying mechanism still have to be inside client side application, means visible to attacker.
-
will about 10 years@TomasBisciak this is just how we do it here. I know it doesn't solve the issue of it being visible to the attacker. I know of methods which create some kind of
machine fingerprintusing various details of the hardware, which is better than using MAC addresses (which can spoofed). If we ignore reverse compilation and the likes, then provided you use a sufficiently strong hashing algorithm, i think it should be fine. -
will over 9 years@TomasBisciak So this is a long time after the initial question; I hope you've solved your problem. One thing that i found in this field is that there's a trade off between the difficulty you add for legitimate customers vs how much much security you really need. How much of a problem do you expect piracy to be? There are also other methods I've seen, ie. an old computer game called "Escape Velocity" has a pirate named after the developer. If you had not bought the game, we would attack you periodically, making progress very difficult (Captain Ambrosia was in the shareware version too :-/).
-
will over 9 yearsMac addresses can be easily spoofed though. If you want to go down this route, it's more secure to try and create a unique computer finger print.
-
Tomas Bisciak over 9 years@will I do not expect to be big problem for me yet bud in future i will encounter this problem as i work now on bigger software that wont be free, and as i see there is no real way to incorporate security features that cant be just removed, ie- decompile,find class that care about security ,remove it,compile again,profit.I know that obfuscated code can be easily countered by deobfusculator of some kind so that wont help.What kind of attacks you mean?I really think that future of software lies in Saas where logic is on server and you cant get handle of any code .
-
Subhrajyoti Majumder over 9 yearshow you can generate computer finger print? -
will over 9 yearswell, that's up to you really. I once spoke to a company that does their licencing like that, and the guy said that they used a whole host of things, such as the mac address, hardware details, maybe ip address (but that changes a lot, so depends on how you want your licence to work). Personally, i just track various details, and have it fairly unrestricting, but then wcheck the details every now and then, and if they appear to be abusing it (which hasn't happened yet), then i'd cut them off.
-
Kevin Van Ryckegem about 8 yearsThis is by far one of the best and clearest answers about licensing a Java project. -
will over 7 years@TomasBisciak i would not say it's easy. I would say that the people who crack the newest video games in days are just very good at it. They also probably work in the industry, and so know exactly what they're doing. Go and have a look for pirated software - i bet you'll find that the most popular stuff gets broken into on day one, and then the same day every time they release a security fix. Then do the same for some random small company program - you're unlikely to find anything for it (i'd pressume), just because there's nothing in it for those who know how to break it.
-
Root over 7 years@Will Very Great :) What you did when the license expires ? I mean what is the procedure of deactivation ? And reactivation after the payment of new license ? -
will over 7 years@root the licensing db hold the Expiry date of the licenses - so it will just stop working when it expires. Then when they pay, the date gets updated.
-
Root over 7 yearsIn your case what would you stop, if I stop any service then customer could be smart enough to start the service manually and where to store the expiry date in case of offline.
-
will over 7 years@root, yes. And then they would get 1 final month (or however long the offline licensing works) for free. This whole answer is caveated with the fact that we did not have many customers, so the fear of losing business due to piracy was low, so making some convoluted and overcomplicated system is not necessary, and just going to cause more harm than good by way of annoying people.
