1

I'm trying to make a good licensing system without affecting user's experience and at the same to make it as secure as possible. I know it's impossible to make it 100% secure, but I would like to make it harder.

My program is made to be used only when the user has internet connection (not because I hate my users, but because my program is for another online app), that's why I don't care if the user doesn't have internet connection.

What I thought so far:

Registration:

  1. User downloads the software from a public permanent link (mega or something).
  2. User buys the software and receives a unique key on his mail (this key is then wrote on my DB)
  3. User opens the software and registers a new account with Username, Password and the key he received via e-mail. At the same time information about it's pc is sent (will cover that later) (This information is sent with HTTPS POST)
  4. API checks if the key is not already used and writes Username, Password and PC information on that key's row.

Login:

  1. User opens software and writes Username and Password.
  2. Username, Password, PC information and Current time is sent to the server (HTTPS POST).
  3. Server checks Username, Password and PC information and sends an answer based on the current time (Using Echo on php) (to make answer unique, idk if this is useful, read last question on "What I didn't think about yet").
  4. Every 1 or 2 minutes the software does 3. again to check if the information didn't change.

There is a "Reset" button in case the users changed something in their Computers that made the key obsolete. This will ask the user to login, then will replace Computer's information with the new one.

Computer information:

I'm still thinking about this, maybe Hardware information that cannot be faked, or something. I need all this information to be as hard to fake as possible and not changed so frequently that my users would have to reset their account every day/week.

What I didn't think about yet:

  • What happens if the user tries to fake the Computer information, how should the server check that the information is wrong. Like if the key becomes "00000000" because all the data is NULL, empty or 0.
  • What happens if there are 2 Computers with the same information (for example, notebooks). Users would be able to use same serial / account for both computers. How often will this happen? Answered after investigating. This has a low chance, and if this happens, they would still have to know each other so they share their serial keys.
  • What happens if someone gets the source code of my program? Will it have any consequence on the rest of the users? Answered by @vidarlo
  • Is it possible to fake the answer from the server? What should I do to prevent that? Answered by @vidarlo
  • After thinking about this system I noticed that I don't have any kind of serial key generated from user information. (I mean, I send Computer information to the server to compare instead of making a serial key with it and giving the user this serial key). Does this make my system bad?

To be honest, I read a lot and came with this Schema that I "tested" in my mind to see if I find any easy way to bypass (I mean things like "if you block internet connection then the program will work without license"). Now after "testing" it in my mind, I need more experienced users to give me some advice. This will be my main source of money while I'm studying and I'm trying to protect it as much as possible. A good link I found was how XP license system works: https://www.licenturion.com/xp/fully-licensed-wpa.txt But is not very useful because I don't use any kind of serial key containing user information.

I don't know if this is the page for this, I decided to post this here because I'm not asking about code or "how do i do the following", I'm asking if this is easy to bypass.

Everything is appreciated, I'm still on the first step (thinking about everything and checking if it fails before I start to code it).

I continued researching and couldn't find any problems with this Schema (I'm omitting the problem that someone edits my exe because there is nothing I can do about it) But still I need more opinions because I don't have a lot of experience, and this would be my first licensing system.

Roberto Carlos
  • 23
  • 4

2 Answers2

2

You can manage the logins online, via browser. When the client starts your app, it will generate a random token plus timestamp, and load your login page on his default browser. On the background your program connects to your service to receive status update on the token.

When the login is successful, you sign the token with your private key and send back. When the client program receives this info, it checks the signature and starts (or not).

Now, the analytics. You used user's default browser, so you get browser family, OS, screen size, installed plugins and so on - use this info to detect multiple uses. The majority of the users don't have dozens of internet providers. Get the IP they are logging in, see the provider and geographical area. If any credential is used at the same time for users on different countries, or more than a few providers, suspend the account and contact the user to see if he shared the account, or got stolen.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • Thanks for the answer. Is this approach safer (idk if that's the correct word, sorry english is not my main language) than doing login with my app instead of the browser? If I do the login via browser, do they have to keep the browser opened while the app is running? Is this kind of login required to have a better licensing system? I mean I would love to keep login as it is (via my app) but only if it's as safe as any other login. – Roberto Carlos Jan 17 '19 at 18:44
  • Logging in with the browser means you collect more fingerprint data than just computer components, so identical computers will not have identical fingerprints, as browser versions, fonts, and plugins change. User just need to login, don't have to keep browser open. – ThoriumBR Jan 17 '19 at 20:17
  • That's smart, didn't think about that. Thank you for this suggestion, I think I'm going to add this once I have the basics covered (like first checking if the schema is safe enough to be used, then if licensing system works, etc.). Once again, thanks for answering this question/comment. – Roberto Carlos Jan 17 '19 at 20:24
  • You could upvote and mark as answered if it helped... – ThoriumBR Jan 17 '19 at 20:26
  • Hi, I upvoted but it won't show because I'm new. I don't mark it as answered because I still need answers for the other points there. About my login / registering schema and the "what I didn't think about yet" section – Roberto Carlos Jan 17 '19 at 21:37
2

What happens if someone gets the source code of my program? Will it have any consequence on the rest of the users?

It means that they can remove the checks, and run the software. They can distribute the source code or compiled binaries.

This will not affect users running the version distributed by you, but will enable them to bypass your protection.

Is it possible to fake the answer from the server? What should I do to prevent that?

This is difficult. You can sign your answer with PKI, but ultimately it's next to impossible to stop the user from replacing the expected signer in the local binaries if they are determined. This depends on the cost and kind of software. You can obfuscate code and so forth, but ultimately the person owning the computer can do whatever they want with code running on that computer.

This includes inserting jumps whenever the serial is checked, altering the accepted signatures, and removing offending code.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • Hello, thanks for the answer. (I upvoted but I'm new so it won't show, sorry). About the first question, thanks for the answer, I knew the first part but I didn't stop to think if there is any consequence for the rest of "legal" users. Your answer clarified this point, I will edit main post and flag that question as answered. – Roberto Carlos Jan 19 '19 at 14:25
  • About faking the answer from the server, I'm talking about editing hosts files, sending a packet to my program or something like that (I'm not experienced in this field, but you get the idea of what I mean). I didn't think about anything that is related to people editing the code because It's impossible to protect the .exe 100%. So I just thought on making it harder for normal users. That's why I'm still trying to find a way to make the entire program depend on the Check login function (this way, the user is not allowed to simply delete the "if ServerAnswer=yes". – Roberto Carlos Jan 19 '19 at 14:25
  • Yes, and that is what signing can help mitigate. Signing the reply makes it impossible to fake the reply to a genuine, unmodified, executable. – vidarlo Jan 19 '19 at 14:26
  • Thanks again for answering, do you have any link with useful information about signing? (I tried searching "Signing reply from server" and a lot of other terms on google and couldn't find useful information). 1 more question, If i make the answer unique, like (simple example) get the time of the request (store it on a variable in the .exe) and making a unique answer (on the API) based on it, then sending it so the .exe can sort of "decrypt" this message and know if the answer is sent from my server or not? (of course I will make something harder, better and more unique when it comes to answer) – Roberto Carlos Jan 19 '19 at 14:31