-2

I am planning to make an application and I don't want everyone to use it (only allowed people). What I was going to do is getting the MAC address of the user and add it to our database "allowed_users" so he can use the application without issues.

I saw few applications on the internet that allow users to change their MAC address which make my application vulnerable and can be used by people just by changing their addresses. IP address is definitely not the solution either, so what I'm supposed to do exactly? I'd like see what is the most secure way. I know that everything can be reverse engineering, but I want it secure enough.

Anders
  • 64,406
  • 24
  • 178
  • 215
Da black ninja
  • 103
  • 1
  • 3
    [You can't filter on MAC address](http://security.stackexchange.com/questions/1118/can-i-block-based-on-mac-address) unless all the clients are on the same (flat, non-routed) network as yourself... and even then, people can easily bypass restrictions by altering their MAC address. Have you considered user authentication? – gowenfawr May 31 '16 at 16:49
  • 1
    MAC addresses != people. As it stands, there's not enough information here about your application to be able to answer. – Xander May 31 '16 at 16:51
  • *"I don't want everyone to use it ... I'd like see what is the most secure way"* **Don't *distribute* it!** Done! I'll take "clear requirements" for 200 Alex Trebek. :) – Alexander O'Mara May 31 '16 at 16:52
  • Secure enough for what use case? If you are very sure that you will lose money then invest less money than you think you would lose through piracy in a DRM soultion of you choice. If you can't figure out any numbers than it's very likely that you will burn your time and money for nothing. If you have information security concerns I guess you are on the wrong path by assuming that certain software can only be run on certain devices. – Noir May 31 '16 at 17:02
  • I simply want to know what is the unique thing that I can get from a PC and can't be changed like mac addresses ? - application should be used only in that PC . – Da black ninja May 31 '16 at 17:12
  • Nothing is so immutable, the system providing it can always lie. – Alexander O'Mara May 31 '16 at 17:13
  • then at least what's the best way to make a secure licence system ? like big Softwares do ? – Da black ninja May 31 '16 at 17:20
  • What kind of application? Over the internet? Using HTTP? – Neil McGuigan May 31 '16 at 17:30
  • What would be the difference ? over HTTP or over the internet ? It will be a desktop application basically which does tasks locally (most of the time) – Da black ninja May 31 '16 at 17:38
  • Username and password that tie back to your server for authentication? – IT_User May 31 '16 at 18:55

1 Answers1

1

You have several choices.

You can certainly do what you're planning, and tie the license to a MAC address. It doesn't take super hacker skills to reassign a MAC address, or to assign the same MAC address to a virtual adapter, but it is inconvenient to do so. It also would break their networking if those adapters are all on the same LAN. This approach will cause your users to have a fit when they change computers and your software breaks.

There a security key products where you sell the customer a USB dongle. These cost a lot of money each, and can be defeated by a hacker, who can then sell copies. They are inconvenient to the licensed users.

There are security licensing products, where you sell the customer a key and licensed key server. As an end user, these are extremely difficult and expensive to set up and run; although less inconvenient than hardware dongles. Again, very expensive per license; again, not very secure against hackers.

You can build a critical part of your application as a "service", and sell "API keys" to your users. Only a valid key will let them use your service. You have other options, to price it on a per-use basis or on a subscription basis. But it won't work for your customers when they are offline to your service. And it costs you ongoing money to host a servce.

You can use a third party distribution service, like Steam, and leverage their services to install and run your app. But that's geared towards gamers, and hasn't been accepted by corporate environments. And it will also cost you a significant amount of money.

You can watermark your software, so that each copy is uniquely identified to each customer. If you discover shared copies in the wild, you can identify who the source of the leak was, and sue them. Distribution becomes a bit of a hassle, but is overall fairly inexpensive.

You can continually update your software, distributing new features and fixes only to paying customers. This provides incentive for customers to not use pirated copies, or to upgrade to a licensed version if they really want your new features.

And you can communicate with your purchasers. You can force the to "click to agree" with dense, hard-to-read EULAs threatening them with lawsuits if they allow copies. Or you can politely ask them to support you as an independent software developer and to not share copies.

The main thing is that you are likely worried about nothing at all. Most software fails commercially because it doesn't have enough users, not because pirates are copying it. You should focus first on distributing it without worrying about copying. If it's wildly successful, and copying is eating into your profits, then worry about pirates.

Regardless of the approach, you must accept the risk that your software might be pirated. That's been true since the dawn of "information as value", and nothing has changed since then.

John Deters
  • 33,650
  • 3
  • 57
  • 110