Geek Answers Handbook

Protect Java application by license or key

I want to make a desktop application that works only on machines that have a key or license. How can this be achieved?

+7
source share
3 answers

It totally depends on how safe it is to do ...

The problem with java is that you can cancel its compilation. Therefore, if someone wants to, they can download your software, cancel their compilation, and then delete all the security you saved (and then redistribute it if they want).

This is only a problem if you plan to go to the mass market and sell it, and piracy will actually be a problem.

If this does not bother you, you can either go online or offline.

The company I work with uses the online method; There are several steps:

EDIT: I have since changed how this works since the old way was a maintenance nightmare.

  • License file
    • (this may contain everything you really want, it just needs to be unique to each user. Most people usually have a common outfit;
    • name
    • company
    • email
    • and then a key . those. the kind of JDU8-AJS9-88DF-SASF-ASF9 that you often see.
  • The program generates a hash from the license file.
    • put all the data from the license file in the line
    • pass the string to the hash function on this page , which can show you how to do it.
  • check the program online (on your server). The data is encoded in an HTML request (post / get / json / what you want) and sent to the license verification page, which then validates the data. The data entered is a randomly generated string that is used by the verification page to generate another password. This then returns to the program, which also used a random string to generate its own password. If they match, the program starts.

To generate keys, just use the same hasing function and then upload the hash to your server.

If you want it to be offline, you can include the hashes in the code, which I think and check them out there.

I must point out, however, that I am not a security expert in any way, I am simply developing for the company as part of a Ph.D., and this is exactly how I did it.

Edit: this image may be useful:

enter image description here

Second edit:

Now I have included "offline check". This is not a real offline check, it just uses the user as a proxy - they need to access the Internet in another way.

It works as follows:

  • Internet connection not found: provide the user with a four-digit code
  • the user goes to the verification page offline (optimized for use on mobile devices)
  • user selects which software they use from the drop-down list
  • the user enters his username (this field remembers entries)
  • the user enters the code provided by the program and sends
  • The web page contains a 4-digit code, which then enters the program and starts. Program
  • adds some special data to the license file, which means that this process will not need to be repeated during the next week / month / as much as necessary.

every time the program successfully checks it on the Internet, it also adds an offline access password to the license file, which means that it is resistant to temporary Internet downtime and will only work if the Internet has been down for more than a week / month / how long it is configured to work.

+19
source

It depends on how many customers you plan to have in distribution mode. You can use a license server, but this requires an Internet connection for the client. You can also use USB keys to manage licensing.

There is no ideal system in which you need to compromise between simplicity, effort and price.

+1
source

You can track machine licensing using macIP online. Even on Windows you can write in the registry, there is no api, but still you can do it. Find the snippet below to read the registry -

 public static final String readRegistry(String location, String key){ try { // Run reg query, then read output with StreamReader (internal class) Process process = Runtime.getRuntime().exec("reg query " + '"'+ location + "\" /v " + key); StreamReader reader = new StreamReader(process.getInputStream()); reader.start(); process.waitFor(); reader.join(); String output = reader.getResult(); // Output has the following format: // \n<Version information>\n\n<key>\t<registry type>\t<value> if( ! output.contains("\t")){ return null; } // Parse out the value String[] parsed = output.split("\t"); return parsed[parsed.length-1]; } catch (Exception e) { return null; } }

And at the class level, if you want to obfuscate, use proGuard .

+1
source

More articles:


All Articles