views:

357

answers:

15

Hi. I intend to make some software to be sold over internet. I've only created open-source before, so I have really no idea of how to protect it from being cracked and distributed as warez. Bearing in mind that I know like two programms that aren't either cracked or not really useful I decided that the only more or less reliable way may look like this:

  1. Connect to a server and provide licensing info and some sort of hardware summary info
  2. If everything is fine, the server returns some crucial missing parts of the program bound to that certain pc along with the usage limit of say 2 days
  3. That crucial stuff is not saved to hard drive, so it is downloaded every time the program starts, if the programm runs more than 2 days, data is downloaded again
  4. If the same info is used from different computers, suspend the customer account

What do you think about this? It may seem a bit to restrictive, but I'd better make less sales at first then eventually see my precious killer app downloaded for free. Anyways, first I need some basic theory/tutorials/guides about how to ensure that user only uses a certain Java app if he has paid for it, so please suggest some.

Thanks

+2  A: 

Unless your application is specifically web based your users will find it to be a huge hassle to require an internet connection in order that they might access the product. What you are suggesting will work, unless it gets broken, like all DRM systems do. I understand the want to protect your intellectual property, but with many companies as examples, these systems are usually broken or the product does much worse because of them.

Mimisbrunnr
Which percentage of population capable of buying a program in the internet do you assume not to have persistent connection these days?
roddik
Everybody who is traveling. Whether this is a factor obviously depends on the type your application.
Lars
+1  A: 

That's a really tricky task, especially with something running in a VM. I would say you might be thinking in the right direction. Obfuscating it to make it reasonably hard to modify might prevent people from circumventing the built in licence checks.

However, ultimately, if your application is self-contained, it will always be crackable. If you can build it so that it uses services you provide, than you can probably command it's use.

Tomislav Nakic-Alfirevic
+2  A: 

I have really no idea of how to protect it from being cracked and distributed as warez.

First, you'd be better choosing a language besides Java, if this is a concern. This is why C++ is still alive and well in the commercial apps world. Unless you are going to use an actual Java compiler to native exe, I'd reconsider Java for IP protection reasons.

For that matter, even C++ isn't impervious to cracking, but IP prorection vs. cracking are two separate, important concerns.

mrjoltcola
What? C++ is alive and well because it's harder to pirate machine code than bytecode? I'm sorry, but... that's a really unintelligent statement.
asveikau
A: 

That is some of the harshest DRM I've ever heard of, your users would hate it.

Also, keep in mind that there are a lot of good Java decompilers out there due to the nature of the language and someone determined enough could just find areas of the program dealing with your DRM and bypass/disable it then recompile it (according to this a recompilation would be unrealistic)... so you would even have to go out of your way to implement your code as complex as possible to prevent a hacker from being successful. (Which could be done with one of those code obfuscation tools they may have out there.)

Kavon Farvardin
+6  A: 

I am sorry to turn you down, but first you should have an idea of what you want to build; then you should prove that your idea not only works, but is also loved by users to the point where they want to pirate it. Thirdly, you have to make sure that the time you are investing in making it "secure" is actually worth the value of the application.

If you sell it for a dollar, and you only sell ten copies, and you spent 100 hours making it secure, you do the math and tell me if your time was worth that little money.

The take-home message here is: everything can be cracked or copied. At the end there are much brighter people than us doing this (iPhone cracking, digital TV, games, etc) and nobody found the silver bullet. Only thing you can do is make it harder to crack your application (often at the expenses of usability, ease of installation, and by cutting corners for some use scenarios). Asking yourself if it's worth the hassle it's always a good starting point.

lorenzog
I read your post and pictured a lonely software developer slouched over a bar-stool with a lager in his hand... (sniff) ... (sniff) *NOBODY* wants to pirate my software! (sniff)... :-)
Andrew Heath
+5  A: 

Don't bother.

The gaming industry has been battling piracy for decades. Online multiplayer games with a central server typically require a subscription to play. That model is fairly resistant to piracy. Pretty much all other games are heavily pirated, despite innumerable attempts at DRM.

Your app will be cracked and pirated, no matter what language you write it in and what tools you use to prevent it. If your DRM actually works, the people who would have pirated it still won't buy it. Furthermore, legitimate users will prefer other products that don't have intrusive DRM. If there are no competing products and yours has any market to speak of, someone will create one.

Zak
I agree. In the end it’s about balancing user convenience and drm complexity. Don’t take too much effort to make it “really secure”. At some point, making it more secure will also decrease user convenience.
Kissaki
A: 

I see a specific weakness in your example, besides the comment most people already put in that DRM is hard(impossible) to implement and often simple to circumvent.

In your second point:

If everything is fine, the server returns some crucial missing parts of the program bound to that certain pc along with the usage limit of say 2 days

This 2 (or X) days limit will most likely be extremely simple to circumvent, this would just a few minutes to find and patch (crack).

If you really want to have a DRM model the only reasonable way to go is to put at significant part of the application as a web service and require constant connection from the users.

Before you try any of this, be sure to read Exploiting Software and you will think twice before trying to do DRM.

Rickard von Essen
A: 

To paraphrase a Mr Jeff Atwood, it is better to make it easier for your customer to pay you than it is to crack your app. In other words, I think you are attacking the wrong problem. Make buying your product REALLY easy and then your customers won't feel they need to go to the effort of cracking it.

mR_fr0g
It's the hardest for users to part from their money and there is nothing I can do to fix it.
roddik
A: 

I would have a look at the backlash from the game Spore before deciding on a licensing scheme. They had it phone home, and only allowed so-many installations, etc. etc. etc. Spore was supposed to be their "Killer App" and it really had a hard time simply because of the licensing. You say you are willing to have fewer sales than see people using it for free, but you may want to be careful what you ask for. I was really looking forward to spore (and so were my children) but I never did buy it because of the DRM scheme.

No matter what you do, it'll be cracked in very short order especially if the program really is worth anything.

If you do go with a licensing scheme, make it simple and usable so you are not punishing those that have actually paid for your software. Also, I would avoid any phone-home style checks, that way your customers will be able to continue to use the software even if you don't want to keep paying for that domain 3 years from now.

digitaljoel
That only means you wasn't looking forward to spore. By the way it was cracked fast. But never mind that, the game's only cool when you're a bacteria.
roddik
I most definitely _was_ looking forward to spore, and whether it was cracked or not doesn't matter. The point of the comment was that obtrusive, complex DRM cost a real sale from someone that really did want to use the software. I don't use cracked software. Just because I didn't buy it, doesn't mean I wasn't looking forward to it, it means I made a decision not to get it based on the crap the publishing company placed on a game that I believed would have been fun for me and the kids.
digitaljoel
+8  A: 

I work for a company selling protected Java software.

I won't comment on the scheme for user authentication, but I can comment on the online license check.

Don't make it even "work for two days": that's how I pirate most software... Virtual Machine set "back in time" and externally firewalled so that it doesn't "phone home" anymore (that is: only allowing it to contact the server once, to get the trial key), always reimaged from the point where the software got freshly installed and bingo, the 30-days trial (or two days trial) has become a lifetime trial. Why do I do this? To learn how to better protect our app of course ;) (ok, ok, I do it just for fun too)

What we do in our commercial Java software is to check the license at every startup.

We've got hundreds of customers and nobody ever bitched about it. Not once. We generate a unique class at each run, which is different at every run, which depends both on things unique for that launch on the client side and on things generated once on the server side.

In addition to that having the app contact your server at every launch is a great way to gather analytics: download to trial ratio, nb average launches per trial, etc. And it's not nasty anymore than having an Urchin/Google JavaScript tracker on each webpage is nasty.

Simply make it clear to people that your software performs the online licence check: we'got a huge checkbox either on or off saying: "Online licence verification: OK/Failed". And that's it. People know there's a check. If they don't like it, they go use inferior competitor products and life is good.

People are used to live in a wired world.

How often can you not access GMail because your Internet connection is down? How often can you not access FaceBook or SO because your Internet connection is down?

Point is: make as much computation as possible dependent on the server side:

  • licence check
  • save user preferences
  • backup of the data generated by your app
  • etc.

Nobody will complain. You'll have 0.1% of your user complain and anyway you don't want these users: they're the one who would complain about other things and post negative feedback about your app online. You better have them not to use your software at all and complain about the fact that it requires an always-on Internet connection (which 99.99% of your target demographic and hence they won't care about the complain) rather than actually have them use the app, and complain about other things related to your app.

Regarding decompiling, .class can usually be decompiled back to .java unless you're using a code flow obfuscator that produces valid bytecode but that it impossible to be generated from .java file (hence it is impossible to get back a valid .java file).

String obfuscator helps make it harder to figure out.

Source code obfuscator helps make it harder to figure out.

Bytecode obfuscator like the free Proguard makes it harder (and produce faster code, especially noticeable in the mobile world) to figure out.

If you're shipping Windows/Linux only then you can use a Java-to-native converter like Excelsior Jet (not free and kinda expensive for startups, but it produces native code from which you simply cannot find the .java files back).

As a funny side note you'll see people trying to mess with your online server... At about 30 beta-testers we had already people (which we know where part of the trial) trying to pirate our online servers.

Webinator
@WizardOfOdds - What happens when a company wants to run your software on a network not connected to the internet? I can think of a number of industries where this is very likely to occur, so I guess it comes down to who your user base will be maybe?
Binary Nerd
@Binary Nerd: The very few industries that have such a need have both an internal net and an Internet net. I'll give you an example I know very well: *Broadcom* was such a company: chip engineers had at least two computers, one Un*x workstation to run the chip-design (highly trade-secret) and another computer (Windows, Linux, Mac) that was on the Internet. Think of this: there are really *very* few companies today where people use computer software yet where their users cannot send emails. Trade secrets? Two networks or live in the stone age and be outpaced by your competitors.
Webinator
@Binary Nerd: in addition to that, seen the original question that talks about a server and is concerned about "warez", it seems pretty obvious that the OP is not after the very few companies in the world that would happen to use computers yet not allow their computers to access the Internet... Now I'm not disputing that there may a few exceptional cases where this wouldn't work. But nowadays most individuals, SMEs and big companies are all using daily Webapps like GMail etc. We *do* live in an Internet connected world and if this changes one day, we'll have bigger problems than anti-piracy ;)
Webinator
@WizardOfOdds - Thanks for the reply. I just wanted to make the point that @roddik should consider situations where an external network connection may not be available.
Binary Nerd
Thanks for the reply, I haven't read all of it yet, but I wanted to say that I was not going to give a trial. That would be just an addition to other measures to prevent the following situation: legal customer downloads key data, somehow saves it, gives to someone in his lan (same IP), who uses virtual machine to fake hardware stats. With time limiting they would at least have to do it more often. Not to mention the theoretically possible situation of introducing some monthly payments, in which case time limiting would stop users from avoiding them.
roddik
@Webinator: -1. this is a poor recommendation, because it only punishes legitimate users (as with any DRM). If a hacker wants it bad enough he will do something like mimic your server and make it easy to hack your software. There's simply nothing you can do about it. @roddik: It's best to minimize the restrictions so that as few users as possible feel the need to steal your software.
RCIX
"If you're shipping Windows/Linux only then you can use a Java-to-native converter like Excelsior Jet (not free and kinda expensive for startups, but it produces native code from which you simply cannot find the .java files back)." This is criminal. One of the major advantages of Java is that you can run any compiled Java code safely in a sandbox. This method prevents that. This method also prevents adaptive optimization at runtime, and any optimizations that are added to new JRE updates. This is bad business, it doesn't just hurts the customer, it rapes him. While I can still crack your app.
Longpoke
@Longpoke: *Excelsior Jet* is an excellent product made by Excelsior LLC, which are in business since the last century and calling the use of such a product "criminal" is just, well, weird?
Webinator
+1  A: 

I think, given the context, the most effective form of protection for now would be the limited demo/license key approach: it would give people time to fall in love with your application so that they are willing to pay for it, yet prevent casual copying.

Once you know that your app hit it big, and that crackers provably siphon off a significant portion of your possible earnings, then you can still add additional checks.

Another thing to consider is where your app is going to be used: if it's something people would put on the their laptops to use on the go, network connectivity is not a given.

Lars
A: 

As long as it's an Internet application, you could restrict it in that manner. Short of cracking the program, this would work fine except for replay attacks.

For example, if I can capture the traffic that is going to your server, and simply replay it back to my program each time, I'm still good. For example, I could create my own "web server" and ensure the program hits that instead of your server.

Marcus Adams
A: 

Hi!

You should read "Surreptitious Software" from Collberg and Nagra. This book is really good to help you understand how software protection mechanisms work (such as Code obfuscation, watermarking, birthmarking, etc...).

As lorenzog said, total security doesn't exist and software security is like a constant race between software vendors and pirates.

You should use cheap obfuscating transformations (so the overhead they incur isn't killing the performances) to prevent as many attackers (remember most of them are script kiddies) as possible to "steal" your killer algorithms or any secret data.

If you're willing to push the security further you can birthmark your algorithms and watermark your copies in order to find who leaked your creation. But even if you do, this doesn't mean your software is 100% secured. Plus the time you'll spend adding these mechanisms might not be worth the effort.

These concepts are really well explained in the book I mentioned before which is worth reading.

tchufa
A: 

If I had enough reputation points, I'd vote this question down. Commercial software protection is a waste of time, money, and effort for many reasons. Concentrate on making a piece of software worth buying. If your software is popular enough to maintain wide seeding by pirates, you're probably successful enough at that point that you won't even worry about piracy. Anyway, crackers crack software protection mostly for fun. The stronger your protection, the better the challenge it presents and the more they want to crack it. Your best effort will cost you thousands, take months, and be cracked in only days.

Eric
+1, you hit the nail on the head. A small note (what you should point people at whenever they recommend DRM): http://superuser.com/questions/14224/how-to-explain-drm-cannot-work/14764#14764
RCIX
A: 

Commercial licensing systems from companies with Java expertise do deal with all these issues, including activating licenses on systems without a network connection, protecting time-limited licenses against clock rollback, protecting against spoofing or tampering with the license check, securing licenses on virtual systems and more. The expertise required to do this does take time and experience to acquire, which is why many companies pay the money - do you build your own operating system, database etc. when you need one? Probably not, because the commercial tools offer capabilities you couldn't match at a reasonable price.

Also, being overlooked in all these objections is the ability to offer more than just a trial or perpetual license. With a licensing system you can also offer a subscription license, versions with different features for specific markets at different price points, usage-based licensing and more (and all from the same executable) so serving the needs of a wider base of customers.

Dominic