Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

protecting a java app

I want to distribute a java application in demo mode and upon registration to enable the full mode. What are my options ?
What i figured out so far is that i must get the user to submit some data (such as a name, id, etc) and i'll offer a key generated from his data. he types the key in the app and if it matches his data the app gets into full mode. so far so good. BUT, what should the user's data be ? what if one user registers and then tells everyone his data and key ? are there any other options ? how are big-time commercial java apps distributed ?

thanks
0
hapciu
Asked:
hapciu
  • 3
  • 2
  • 2
  • +3
4 Solutions
 
girionisCommented:
Have your application communicate with your server when the user enters his key. Then if the key is valid register the product and "cancel" this key (you could set a field in the database to true, like "keyUsed = true"). Then when next user tries to re-enter the same key check it against the database. If it is canceled (field "keyUsed" is true) then inform the user that this is an invalid key.
0
 
hapciuAuthor Commented:
That's doable, but i think it's a bit of overkill for my small-time app.
is there a way to avoid communicating with my server ? can I get some absolutely unique data from the user's machine (i.e. not letting him enter his data but show it to him) ?
0
 
krakatoaCommented:
You could try to use the serial number of the hard disk.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
CEHJCommented:
>>how are big-time commercial java apps distributed ?

They tend to generate time-limited keys. I know ATG and Together do
0
 
girionisCommented:
It is only needed to be done once, when the user first enters his/her key. After that there is no need to communicate with the server since the product will be unlocked.

> can I get some absolutely unique data from the user's machine (i.e. not letting him enter his data but show it to him) ?

You could get his I.P. (if it is static and if he is not behind a firewall) or his MAC address, but you can't get the MAC address with pure Java unless you use JNI.
0
 
TimYatesCommented:
   java.rmi.dgc.VMID guid = new java.rmi.dgc.VMID() ;
    System.out.println( guid.toString() ) ;

returns:

    da4d755f7762b8ea:1dd7056:fe9638a9ff:-8000

on my machine, which is a SHA encoded IP address, hashcode, system time and a counter, so if you only look at the first two blocks of it, maybe that will be unique?

0
 
TimYatesCommented:
actually, you could encode the key with the system time, and then you could make it only work for a specific period of time?

Maybe...
0
 
hapciuAuthor Commented:
CEHJ: what is a time limited key ? do they still communicate with the company's server ?
0
 
CEHJCommented:
>>CEHJ: what is a time limited key ?

A licence key that expires after a period. In some cases, network connections are not made.
0
 
TimYatesCommented:
And at the end of the day, with perseverence, a copy of JAD, a copy of BCEL, an the JDK, people will probably be able to strip the protection out...  :-(

So I wouldn't stress about it for too long...
0
 
hunor_namCommented:
What kind of app is it? Can't you include in the hash some user specific data?
What I mean is that for an accounting application (for example), you could include the registration number of the company (which usually appears on reports and other stuff - so another company will NOT work with the same one)
If not... you could include the computer name and the "registered to" name (windows)... but all of this is changeable...
The only remaining option is (as stated above) the HDD serial number and/or the MAC address... but what happens when he changes hardware? You reissue...
But then as well maybe he does not, and just applies for reissue, with his "friends" data :) So you are mostly stuck. The best would be to have server communication... but I don't know if that pays off...
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now