Application Licensing and Activation Thoughts

Question

I have recently developed an app that I plan to sell to small businesses. I do not have a huge backing of cash so I am unwilling to purchase a commerical application that would protect my software against theft.

My current plan is the following:

• I include a public key (pgp) or a literal code inside of the app.
• User purchases software off of website providing certain information.
• The site calls a function which creates a product key. This key is emailed/shown to the user after purchase.
• After the user downloads the product, they will have to enter some information along with the provided product key to attempt activation.
• The application contacts a web service at our hosting location. It uses encryption along with other information to create an activation code which is sent back to the application.
• In the future the application will check periodically with the web service to determine if it is authorized.
• Somehow I would like to update the pgp/code during software update so I would possibly need a function that would decrypt the information, update the license, re-encryption, and then update the service database.

So I wonder:

1. Is this the correct way to do this or is it obsolete now?
2. What is the best way to generate unique product keys?
3. Is there a way to keep the public/private keys completely off of the client's PC?
4. Is there a good way to detect an illegal license? I plan on only offering site wide licenses so I just need to detect the evil little bit torrent/irc people.

Thank you in advance for your help. It is greatly appreciate it.

Answer 1

So far, I have found this link interesting:

http://www.emoreau.com/Entries/Articles/2007/12/Licensing-a-VBNet-application.aspx

Its a couple years old though. I am thinking that I can incorporate the MotherBoardID and CPUID into the service idea above.

I would still love to hear from someone that knows how to role this (a professional). It would be very beneficial as I am just a n00b.

Answer 2

Use a product like FlexNet Publisher http://www.flexerasoftware.com/products/flexnet-publisher.htm

Answer 3

If your application is useful, it will be cracked and released whether you use drm or not. Just sell it without activation and go after the pirates as you would have before.

Answer 4

Why roll your own? To be blunt - do you build your own database system when you need one too? I imagine not, and for good reason: the commercial solutions embody specialized expertise and experience, wide testing in a variety of deployment scenarios, and include expansion capability beyond your needs as you happen to perceive them right now, documentation, support and continuing development. Same is true for licensing systems.

A commercial license manager will save you considerable time, and probably be much more secure and capable than anything you could develop.

Dominic Haigh

Answer 5

Don't bother - you won't stop pirates, but you will put off genuine customers.

Even the best can get this badly wrong. I own Macromedia Studio MX2004 and Adobe Creative Suite CS2. I recently had to wipe and reinstall my system. The first thing to note - I had enough problems with activation over this last time (several years ago) that it's the primary reason I have not cleaned up my system for so long. Since then, I've only ever restored from a hard-disk image where activation was already done - until now.

When I went to activate, both failed internet activation, even though I had no other apparent problems with internet access. Telephone activation wasn't too bad for Creative Suite, but Macromedia was of course bought out by Adobe years ago. All the old Macromedia phone activation stuff is no longer there. You can find Adobe activation numbers on the web site, of course, but they don't support activation of Macromedia software.

Interestingly, Adobe seems to run the "keep them on hold for a while, then disconnect them" system of telephone support.

Eventually, I resolved a firewall issue and managed to get internet activation to work - but that was after a couple of wasted hours and a fair amount of call charges.

The point here - if companies the scale of Adobe can't ensure easy activation, and companies the scale of Macromedia can be taken over - what chance have you got of credibly claiming this won't cause problems for paying customers?

When you buy software that requires activation, you are buying a timebomb. There will come a time when you cannot use it because you cannot activate it - except by downloading some pirate crack of course.

Potential customers know this, of course, and unless they have extremely compelling reasons to buy your particular product, odds are they'll go elsewhere. Or, since they're going to need that pirate crack some day, there's no time like the present of course.

Why should you care about customers who don't upgrade regularly? Better to ask - why should I be strong-armed into upgrading something when I don't need any new features. Even the perception that ceasing to support activation might be used this way is enough to make me and others think twice about software that needs activation.

Nothing ventured nothing gained - if you're unwilling to take some risk, you'll never make a profit. And while most pirates can never be turned into paying customers whatever you do, it is most certainly possible to turn paying customers into pirates. All you have to do is make sure that they get a better experience pirating your software rather than paying, which is precisely what activation, DRM etc achieve.

EDIT

Incidentally, what I don't object to is the idea that everyone gets a unique "watermarked" download, so if you see widespread piracy, you can trace it to its source. There are binary watermarking systems that can ensure tracability even when someone has multiple copies to compare, though I have no idea how they work.

Watermarking can discourage people from making your software available but, even then, it's unlikely to stop piracy. It only takes e.g. one person to buy your product using an untracable fake identity.