0

If an application is licensed in such a way that is set up for one user, on one computer, how can I secure it?

Even if locking into one computer, how could you prevent the computer from being remotely accessed by others, so that only one user can use the application at a time.

I am curious if there is an security precautions that one can include to stop people from accessing an application more than once?

My ideas were

  1. I was thinking of testing System properties for Server versions of Windows, etc, but then I realized you can remote into any computer, with a variety of programs, so that is out the window.

2.a I was also thinking of setting a flag in my application that I could send/receive from the server, so that the application wont launch again if it's opened already by someone else due to that flag being true?

Is it a security issue if I connect to my server, with FTP, before the application even logs a user in?

2.b Since the users login could I also set that flag once that user logs in, so that they can't log in again? (I think this should be done regardless, since a user should only log in once).

  1. I also thought about trying to find and see if the application is already running on the machine (as a process or task i.e., what shows in "Task Manager").

I'm not sure which of these are viable solutions(Would have to research how to do some of this), so I'm curious if anyone has a better example?

Thanks for the info.

XaolingBao
  • 897
  • 2
  • 9
  • 21
  • So you're trying to design DRM? – Robert Mennell May 24 '16 at 23:41
  • I'm not really sure, but the wiki says DRM is used to protect distribution of works, to protect copyright. This is just trying to stop a user from buying 1 license of an application, and having multiple users use it, which breaks the license agreement. Wiki uses the term "Scheme" for DRM, which seems to be a negative thing, so I'm not sure if that is frowned upon? For what I've been asked to do I don't see that much of a big deal since the person is buying one copy of the application, like buying a game with 1 cd-key that can be used one at a time. Is there a difference? Thanks – XaolingBao May 24 '16 at 23:49
  • 3
    So yes, you're trying to reinvent the wheel with DRM. Aren't there off the shelf DRM solutions that will do exactly this with Always On DRM? – Robert Mennell May 24 '16 at 23:50
  • Reading further there is a second on gaming, so yes, I guess DRM would be a correct term. Okay, I didn't realize that there packages out there for this, nor did I know a term existed for it. Would it be better to get something already out there, then to do it myself? Would it be a lot of work to implement it myself, or would the "more secure way" be by going with something out there? Granted they don't cost a ton. Also, as mentioned about the word "Scheme" as well as reading the "opposition" to DRM, is it really hated in a lot of places? It seems some like it, some don't. Thanks – XaolingBao May 24 '16 at 23:54
  • 3
    Use an off the shelf version. Rolling your own DRM is expensive, slow, and prone to errors if not done right. And the people who like and dislike DRM is outside the scope of SE. Whether DRM is good or not is a whole different question. – Robert Mennell May 24 '16 at 23:56
  • Thanks a lot, much appreciated. I figured I would just ask your opinion on the DRM, but it seems that what I want to do is a tiny portion of the capabilities of the DRM. It talks about "Malicious" in the wiki article so I guess there are alot of things that really hurt people, i.e., music sharing with your own devices not being allowed, or the DMCA taking down everything. It seems there are different levels of "fair" and "not fair" with the law... Thanks for your help, I'll see what will happen with this project and if the DRM is worth it, or cost effective for the client. Thanks. – XaolingBao May 25 '16 at 00:09
  • That's something more for a conversation and not comments. Feel free to start one with me about it if you want – Robert Mennell May 25 '16 at 01:10
  • I am sure someone will answer with the knowledge/concepts of doing your own DRM but @RobertMennell is right on the money. There are already solutions out there. The problem is if you actively maintained DRM you would quickly find it is going to turn into a full time job. If someone wants to find a way to bypass it they will find a way to bypass it. With that said if you choose to implement it, think of it as a deterrent and not a solution. As far as why it is disliked is outside the scope for this site. But on a technical level it prevents the owner from having full flexibility of it's usage. – Bacon Brad May 25 '16 at 01:42
  • Thanks baconface. Would the user amount matter in doing this yourself or not, i.e., if the client will only be selling their product to a few dozen, or a few hundred people... would doing your own be more worth it than a mainstream program that millions of users would use, which, imo, would lead to a much higher risk of hacking. As for full flexibility of usage, I'm not sure what most DRM prevents, so I'll have to check that out.. Thanks :). – XaolingBao May 25 '16 at 02:08
  • Thanks Mark Buffalo, this is one of the ways I was looking at, is it possible to be exploited though to always be false? – XaolingBao May 25 '16 at 02:55

1 Answers1

1

secure ways to prevent access to an application by more than one person at a time?

There are no secure way to prevent users from running more than one instance of your application on their machines if they have a copy of your application. If a user has a copy of your application, they can always find ways to subvert any checks you make.

The only secure way to limit user's access to your application is to not run your application in the user's machine. In other words, a web application.

DRM can do an OK job to prevent users from using one instance of your application at a time for licensing reason. But trying to run trusted code in untrusted machine is inherently insecure.

DRM is a losing game for developers and legitimate users alike. License infringer will always find a way around DRM and DRM often will find ways to inconvenience and alienate legitimate users, which increases support costs.

I was thinking of testing System properties for Server versions of Windows, etc, but then I realized you can remote into any computer, with a variety of programs, so that is out the window.

An illegitimate user can always edit any files/settings/registry in their computer. There's nothing you can do to prevent this. They are the one with system administrator privilege, not your application.

Is it a security issue if I connect to my server, with FTP, before the application even logs a user in?

Unless your application heavily rely on the network connection as part, you cannot rely on the network connection. If your legitimate user does not have internet connection at their home, your application will either have to refuse to run (inconveniencing legitimate user) while an illegitimate user can just disallow your application from accessing the internet using an application firewall.

I also thought about trying to find and see if the application is already running on the machine (as a process or task i.e., what shows in "Task Manager").

This would not protect against running on different machines or running your application in virtual machine. On the other hand, legitimate users may need to legitimately need to run multiple copies of the application, or your application may be stuck as an unkillable zombie process in the background and legitimate user may find themselves needing to reboot their system to restart your application again.

Licensing restrictions and DRM can only keep honest people honest.

"My application truly cannot be run as a web application, because X, Y, and Z. With DRM being futile, what can a software developer do to protect their revenue?"

If you develop a great application at a reasonable price, people will want to pay for it. Put up a simple license check you can put together in a couple hours or even go DRM free, and be done with it. Accept the risk that there will be illegitimate users and use legal measures to attack major infringers (circumvention of even simple DRMs like dumb license key check is legally protected in many countries). Avoid DRMs that do weird things like implanting itself in the MBR/boot sector or trying to hide itself from System Administrator as a rootkit. They are more likely to cause legitimate users frustrations than to hinder illegitimate users.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93