What's the best way to protect a Windows application from piracy?

Question

I will be selling a Windows application into an industry where many of the users will know and be friendly with many of the other prospective users. I expect that some users wouldn't think twice about copying the application for those other prospective users.

What is the best way to insure that a Windows application isn't copied for other sites or installed on more computers than allowed on one particular site?

The application is for the supermarket industry. The initial user base will be owner/operators. Many of these owner/operators are in large chains that use Intranets and will not have general Internet access.

Edit: Thanks for all the good feedback. I have decided to use a proven library to add protection and will keep away from dongles. I accept that adding protection can be a PITA to users but in the industry I'm working with I know that allowing free copying of the software in the hope that I'll get more sales just won't work, I can't agree with the comment to this question: "Copyright infringement isn't stealing".

Answer 1

You could do something simple like require the users to enter a unique registration code that you generate. Then, make the application phone home and report where it is and what its registration number is. Of course, this assumes users who are unmotivated to actually circumvent your copy protection (if you have motivated users, your problems are much larger).

Answer 2

There are a number of ways you can protect your software, from simple passwords to hardware based solutions.

Have a look at DESKey and HASP for a hardware solution.

There is a example of a web based solution on CodeProject.

Answer 3

I think it's like all security. Nothing is 100% secure, it's all shades of grey.

I think the most secure methods I've experienced are: USB dongles or license key servers. License key servers might not be such a great option over the internet.

Another good way is something that Joel Spolsky mentioned ages ago (can't remember where). The idea is that you have multiple copies of the same software with slightly different protection mechanisms in them.

If you had 4 of these, if someone cracked the software, you'd still only have a maximum 25% chance that if you download their exploit it will work.

Answer 4

Patrick McKenzie wrote a good entry on registration systems:

http://kalzumeus.com/2006/09/05/everything-you-need-to-know-about-registration-systems/

Answer 5

Make it really bad, so that no-one wants to pirate it.

Make it a web app, so all the valuable parts run on your own server.

Answer 6

Update (after Bryan's suggestion to use MAC instead of IP): If your app cannot connect to Internet, one way is for delivering applications which will work only for the specific MAC address. I have seen this technique in some of the commercial applications, where we had to give the MAC address first and they deliver the application hardcoded to work only with that MAC.

---

You can make it harder for others to understand the code using techniques like Obfuscation..This wont prevent users from copying the app entirely on other machines though.

In the context of software, obfuscation is the process of scrambling the symbols, code, and data of a program to prevent reverse engineering.

Answer 7

From what you said, I think a Dongle is your best option. Obviously the Dongle doesn't need to contact a server etc. and works pretty much by itself. It's much harder to copy/break a Dongle, than it is to copy software - but it's not impossible.

I doubt though that in a corp environment this [breaking protection] would be a common practice.

Answer 8

In my experience, the biggest problem with dongle-based solutions is that there are few better methods to deter legitimate purchasers. Managing dongles in a corporate environment can be a major PITA and I've certainly ruled out purchases on the basis that their protection was dongle-based.

While they may be very effective at preventing loss through piracy, you must balance this against the potential loss of sales.

Answer 9

Update: If your app cannot connect to Internet, one way is for delivering applications which will work only for the specific IP address. I have seen this technique in some of the commercial applications, where we had to give the IP address first and they deliver the application hardcoded to work only with that IP address.

It is better to use the MAC address then an IP address. Depending on the enviroment IP addresses can change.

Answer 10

If you're talking about a corporate environment, wouldn't a simple registration key work? Make the application show promptly when it starts up "this copy is registered to so-and-so". Maybe with a phone number to report "mis-registered copies" and trigger audits.

I suspect no one would want their employees seeing they were stealing software.

Answer 11

I know you didn't ask this, but I feel strongly that copy protection schemes are much more of a burden for legitimate users. It's harder for them to back up their software, and harder for them to deploy it in ways that work well for them. For example, in my home network I copy all software on to my Windows Home Server, and put the original CDs out of reach of peanut-buttery-fingers. I lose that for copy-protected software.

An alternative to copy protection is adding non-software value. When someone buys a license to your software, you could include the hardware that it will run on, on-site installation & training, and phone support. Carried to its logical conclusion, you change from a software business to a turnkey solution business. This kind of thing can be fantastic for customer loyalty.

You may also consider inserting fingerprints in to your software. Modify each distributed CD image in a different way (there are always a lot of bits that don't matter). Then when one appears in the wild, you can trace it back to the original source.

Good luck.

Answer 12

The most important advice is whatever you do, don't try to roll your own protection scheme. There are plenty of products out there, designed to do just this. You can have a look at Armadillo. It provides a licensing mechanism (with configurable parameters), anti-debugging features and a secured storage.

Answer 13

I think it's worth mentioning the Microsoft Software Licensing and Protection Services. I seem to remember they have an offline scenario available.

Might be interesting looking into that. From what I can remember the solution is based on an encrypted virtual machine which in turn runs your code. And you wil have to choose an SLP licensing scheme that is best for your case.

For larger intranet scenarios you could consider installing the SLP Server 2008 at your customer's site which will certainly work without an internet uplink.

Hope that helps.

Answer 14

Does your software communicate with any specialist hardware ? If so check if that has a unique serial number your software can read via an API. If it is the case have your software possess an encrypted list of serial numbers it will work with and on start up check the serial number it reads against this list.

In the past I have written software for the 2 way radio world and have found this to be a good method of dongle free protection.

Answer 15

Use Femida for protect the code. Also use the internet-registration for your users for prevent kes copying.

Answer 16

Despite DrPizza's flip "make it bad," the other part, "Make it a web app" is viable more and more of the time, and should always be considered.

The full question mentions the clients "will not have general internet access" so in this case a web app isn't appropriate. But the answer to the initial, unqualified question, should include "consider making it a web app." People who get led here by that question may not have the same limitation. (One reason to have as much of the question be IN the initial question line as is possible. Else we end up with ten identical question lines with different qualifiers in the long descriptive text.)

Answer 17

@Paul Kroll

Despite DrPizza's flip "make it bad," the other part, "Make it a web app" is viable more and more of the time, and should always be considered.

It's not that flip. I suspect that a large proportion of software out there just isn't worth pirating. The developers put in all these complex protection schemes, because in their arrogance they imagine that everyone will want to use their program (and who can blame them? It's certainly no fun to be writing software that you know is of no interest to anyone) when in practice, they struggle to find enough people willing to use the thing at all (whether bought or pirated).

In short, I don't believe that piracy is a serious concern for most software.

Answer 18

If you do use the MAC address as a unique ID, make it check for ANY of the MAC addresses. We had an issue with laptops where windows would report the ethernet/wifi/bluetooth MAC address first at different times. Our registration system only used the first one = some unhappy customers!

I'm not saying that locking to the MAC address is the correct solution - but if you do, be careful.

Answer 19

I suggest that the best way is to not put copy protection on it. Rely on the honesty of your users. They'll appreciate it and it generates goodwill towards your company. Sure, many will pirate it. If they call for tech support, gently suggest they pay for it. If their business gets hooked on your software, sooner or later they'll find it worth their while to pay for it.

Treat your customers with respect, and they'll return the favor. Assume your customers are crooks, and they'll only use your software if they have no choice.

P.S. I practice what I preach. None of the Digital Mars products have copy protection on them. Some you can even download the complete fully functional product and try it out before paying for it. There is no nagging, activation, registration, unlocking, time bombs, drm, dongles, etc.

Answer 20

Make it Open Source.

Pirates never seem to illegally distribute Open Source projects.

Charge for non-software support contracts. It's a viable business model. Plus, you get rid of the distribution costs! Torrent is cheap and easy.

Answer 21

IMHO, on these days, the best way to protect any application from piracy is to make it free open source and get your profit from support, installation, training, consulting and customization.

There is a lot of value on these five essential services associated with the software industry.

Good luck!

Answer 22

Second best method: Don't publish it (I'm serious here)

Best method: provide software as a service (and yes, this may require you to think out of the box - challenging...)