Solved

protecting a java app

Posted on 2004-08-25
13
193 Views
Last Modified: 2010-03-31
I want to distribute a java application in demo mode and upon registration to enable the full mode. What are my options ?
What i figured out so far is that i must get the user to submit some data (such as a name, id, etc) and i'll offer a key generated from his data. he types the key in the app and if it matches his data the app gets into full mode. so far so good. BUT, what should the user's data be ? what if one user registers and then tells everyone his data and key ? are there any other options ? how are big-time commercial java apps distributed ?

thanks
0
Comment
Question by:hapciu
  • 3
  • 2
  • 2
  • +3
13 Comments
 
LVL 35

Accepted Solution

by:
girionis earned 25 total points
Comment Utility
Have your application communicate with your server when the user enters his key. Then if the key is valid register the product and "cancel" this key (you could set a field in the database to true, like "keyUsed = true"). Then when next user tries to re-enter the same key check it against the database. If it is canceled (field "keyUsed" is true) then inform the user that this is an invalid key.
0
 

Author Comment

by:hapciu
Comment Utility
That's doable, but i think it's a bit of overkill for my small-time app.
is there a way to avoid communicating with my server ? can I get some absolutely unique data from the user's machine (i.e. not letting him enter his data but show it to him) ?
0
 
LVL 16

Assisted Solution

by:krakatoa
krakatoa earned 25 total points
Comment Utility
You could try to use the serial number of the hard disk.
0
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 25 total points
Comment Utility
>>how are big-time commercial java apps distributed ?

They tend to generate time-limited keys. I know ATG and Together do
0
 
LVL 35

Expert Comment

by:girionis
Comment Utility
It is only needed to be done once, when the user first enters his/her key. After that there is no need to communicate with the server since the product will be unlocked.

> can I get some absolutely unique data from the user's machine (i.e. not letting him enter his data but show it to him) ?

You could get his I.P. (if it is static and if he is not behind a firewall) or his MAC address, but you can't get the MAC address with pure Java unless you use JNI.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 35

Assisted Solution

by:TimYates
TimYates earned 25 total points
Comment Utility
   java.rmi.dgc.VMID guid = new java.rmi.dgc.VMID() ;
    System.out.println( guid.toString() ) ;

returns:

    da4d755f7762b8ea:1dd7056:fe9638a9ff:-8000

on my machine, which is a SHA encoded IP address, hashcode, system time and a counter, so if you only look at the first two blocks of it, maybe that will be unique?

0
 
LVL 35

Expert Comment

by:TimYates
Comment Utility
actually, you could encode the key with the system time, and then you could make it only work for a specific period of time?

Maybe...
0
 

Author Comment

by:hapciu
Comment Utility
CEHJ: what is a time limited key ? do they still communicate with the company's server ?
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
>>CEHJ: what is a time limited key ?

A licence key that expires after a period. In some cases, network connections are not made.
0
 
LVL 35

Expert Comment

by:TimYates
Comment Utility
And at the end of the day, with perseverence, a copy of JAD, a copy of BCEL, an the JDK, people will probably be able to strip the protection out...  :-(

So I wouldn't stress about it for too long...
0
 

Expert Comment

by:hunor_nam
Comment Utility
What kind of app is it? Can't you include in the hash some user specific data?
What I mean is that for an accounting application (for example), you could include the registration number of the company (which usually appears on reports and other stuff - so another company will NOT work with the same one)
If not... you could include the computer name and the "registered to" name (windows)... but all of this is changeable...
The only remaining option is (as stated above) the HDD serial number and/or the MAC address... but what happens when he changes hardware? You reissue...
But then as well maybe he does not, and just applies for reissue, with his "friends" data :) So you are mostly stuck. The best would be to have server communication... but I don't know if that pays off...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Viewers learn about the “while” loop and how to utilize it correctly in Java. Additionally, viewers begin exploring how to include conditional statements within a while loop and avoid an endless loop. Define While Loop: Basic Example: Explanatio…
The viewer will learn how to implement Singleton Design Pattern in Java.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now