How to manage secure downloading?

Posted on 2005-04-07
Last Modified: 2013-12-03
Let's pretend I've developed an app and my customers can download the app after paying.
What kind of tools and services do I need to manage a secure downloading environment. This means allowing only authorized users to download, keeping a log of customers who actually downloaded and how many times, etc.

This is a hypothetical situation and I haven't thought much about it. Any additional factors to consider, please let me know.
Question by:rj94070
    LVL 51

    Assisted Solution

    depends on how you allow the download, assuming http or ftp you simply check your web server's or ftp server's log files for requests to the download path

    Authorization can get complicated if you have anonymous customers, more or less ..
    I'd use a hashed filename given to the user which than can be downloaded, and will be removed after resonable time.
    LVL 4

    Assisted Solution

    Well, first thing to do is thinking what you are going to do. If you let people download, you must make sure that the link cant be used to let another, unauthorized person download. This is most times a major point, and is the reason why many development compagnies just let you download a free version, and then require a liscence key to activate the product. In that case they can also block illegal serials from downloading updates from the site. Of course serial keys are hacked a lot of times, and distributing them is way easier then an entire software packet

    But serials werent your question. Well a secure internet connection.. let me think... At first you need an encrypted internet connection to your customer, to make sure that data entered to order on your site, isnt stolen. Privacy is always needed, otherwise customers wont buy. Of course you can also let them pay with paypal, and after that giving them a link.

    About the links: they should be limited to. Eigther they should have a personal account that allows them to login and download the software. If they arent logged in, there should not be a download. Option 2 is giving them a 1 time link to download. This however, created the problem of people who payed and ned a new download, as well as the problem that the link could be used before. This can be solved by making it a 1 time link with a password (in fact the same as option 1)

    The third thing is a privacy policy. In that you describe what will happen to the data they enter on your site. Most times a policy tells they wont sell data to third party persons, and that its kept confidential. This policy is really needed, since a lot of people worrie about spam or unwanted identification of who they are.

    NOTE: the best thing you can do is offering it to a third party distribution site, and ask if they want to allow you to sell it there. this can be fairly cheap if you just want them as a safe connection. If you want them to handle the sale and such, you most times will only get a royalty, and they keep the rest. Even so, a known download site as a vendor can be crucial, if you cant distribute it on your own. And generally people trust a known site more, then the site of an (Unknown) software vendor.
    LVL 38

    Accepted Solution

    As FalconHawk has eluded to, using a one-time url for users to DL assures you that they cannot DL the program multiple times, however this doesn't stop them from distributing it themselves. That is where the Serial's that FalconHawk also mentioned. Again, the serial can be shared with the DL if they are distributing it- these are called "warez". In your code you'd have to make it check in with your servers to make sure that only one person is using it if that is all it's licensed for, and then you need a way to track that as proof- IP address's aren't good enough, you'll need to derive a key from the machine itself in order to uniquly identify it... it's quite a task to make sure that only 1 single user is using your code.

    Your question wasn't really about that... you can use your log's on the server, set a cookie to see if the same person comes back, or try the tracking method discussed here:

    RegNow is a very popular site to secure your DL's
    They only let you access the URL to DL after they have secured payment. Again, after it's DL'd, it can be distributed, along with a serial number, unless you can derive a unique identifier to associate the pc with. Even then, if someone want's it bad enough, they will crack the mechanism your using for auth, and either "patch" your code to not ask or make contact with your servers for validation, or make a keygen for it.
    To defend against these such attacks, or make them very time consuming, read the woodmann cracker sites to show you what they do to by-pass what you do

    One of the best "anti-theft" programs out there is for Adobe PDF's- no one has cracked it yet, but this is rare with popular software. It's called FileOpen this doesn't really apply to your situation
    LVL 4

    Assisted Solution

    Rich continued where i stopped at serials with the unique machine ID. This ID is probally a great idea, be it that it still can be evaded. Now, how is such an ID made? Well, to my knoledge (and there are of course more ways) there are 2 ways.

    Way number 1 is letting the software generate a long ID at its first startup, store it, and then combine it with a serial. You already see the catch? The serial is generated on the machine, and so the correct serial is always trackable if you see how an ID and a serial is combined. Besides, you cant really track any illegal serials, since you have no data about who is who and if its a legal serial. Of course you can let your site generate and sent the keys, but real safe it isnt. Granted, its safer then just entering a serial, but once the methode is know, you got trouble.

    Way 2 is safer then 1, but still not perfect. In this way, it takes the hardware IDs in your pc, preforms some math with them and then makes it the ID. This way is safer because you always get the same ID. If you ever need to re-download the ID is still the same. With one of these 2 methodes, you are safe from serial sites, and if you make the math  bit complex in methode 1, you can also be fairly sure noone will make a key pass generator.

    Is it safe now? NO. There is a third kind of software called cracks. Cracks litterally attack your code and alter it to what they want. In most times, they do this: Instead of letting the software check if its correct, they alter it so that it think its already registered, or that a serial is valid, or that any thing entered is valid. This causes the software to unlock itsself, and costing you people who buy it.

    Is software never safe then? No. There will always be hackers. But there is 1 way you can be sure its fairly safe. the problem is that most software manufacturers give out trial versions that cease working after a few days. This is just to easy, since you can just take out the days to have the full software.

    THE BEST WAY: The best way is using both methodes. At first, never give away full trial version for above described reasons, but make a limited version(freeware). That way it cant be unlocked since it doesnt have the payed software files. Then if people buy, make a 1 time download link. This link makes sure that only 1 person gets the software. After that they need a machine ID to make sure they dont spread it to friends.

    Is this methode really safe? Yes, not completely, but its one of the safest there are. Crack sites downt upload full software, but crack only. This is due bandwith issues, and storage space. Think yourself, an app is at least 2 mb, and having 500 of those apps is a gig storage space, + a lot of used bandwith. And what about a game like Halflife? They are reaching over gigabyte sizes.
    LVL 51

    Assisted Solution

    think we all agree that there is no way to inhibit software from being decompiled or security mechanisms disabled, you just can make it harder to find serious information by obfuscating things, somehow ..
    Well, this does not the question, but it probaly gives you an idea how much resources you need to make things complicated. You have to decide if your software is worth these efforts.

    Author Comment

    Thank you, guys, for your comments.
    There are lots of things to consider. I mainly want to provide AUTOMATIC download after receiving payment, and have a record of successful downloads. I don't think I will try to fully protect the software, although the Microsoft dosfuscation(?) tool that comes with Visual Studio seems to help.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now