[Last Call] Learn how to a build a cloud-first strategyRegister Now


How to manage secure downloading?

Posted on 2005-04-07
Medium Priority
Last Modified: 2013-12-03
Let's pretend I've developed an app and my customers can download the app after paying.
What kind of tools and services do I need to manage a secure downloading environment. This means allowing only authorized users to download, keeping a log of customers who actually downloaded and how many times, etc.

This is a hypothetical situation and I haven't thought much about it. Any additional factors to consider, please let me know.
Question by:rj94070
LVL 51

Assisted Solution

ahoffmann earned 400 total points
ID: 13725074
depends on how you allow the download, assuming http or ftp you simply check your web server's or ftp server's log files for requests to the download path

Authorization can get complicated if you have anonymous customers, more or less ..
I'd use a hashed filename given to the user which than can be downloaded, and will be removed after resonable time.

Assisted Solution

FalconHawk earned 1000 total points
ID: 13726286
Well, first thing to do is thinking what you are going to do. If you let people download, you must make sure that the link cant be used to let another, unauthorized person download. This is most times a major point, and is the reason why many development compagnies just let you download a free version, and then require a liscence key to activate the product. In that case they can also block illegal serials from downloading updates from the site. Of course serial keys are hacked a lot of times, and distributing them is way easier then an entire software packet

But serials werent your question. Well a secure internet connection.. let me think... At first you need an encrypted internet connection to your customer, to make sure that data entered to order on your site, isnt stolen. Privacy is always needed, otherwise customers wont buy. Of course you can also let them pay with paypal, and after that giving them a link.

About the links: they should be limited to. Eigther they should have a personal account that allows them to login and download the software. If they arent logged in, there should not be a download. Option 2 is giving them a 1 time link to download. This however, created the problem of people who payed and ned a new download, as well as the problem that the link could be used before. This can be solved by making it a 1 time link with a password (in fact the same as option 1)

The third thing is a privacy policy. In that you describe what will happen to the data they enter on your site. Most times a policy tells they wont sell data to third party persons, and that its kept confidential. This policy is really needed, since a lot of people worrie about spam or unwanted identification of who they are.

NOTE: the best thing you can do is offering it to a third party distribution site, and ask if they want to allow you to sell it there. this can be fairly cheap if you just want them as a safe connection. If you want them to handle the sale and such, you most times will only get a royalty, and they keep the rest. Even so, a known download site as a vendor can be crucial, if you cant distribute it on your own. And generally people trust a known site more, then the site of an (Unknown) software vendor.
LVL 38

Accepted Solution

Rich Rumble earned 600 total points
ID: 13732022
As FalconHawk has eluded to, using a one-time url for users to DL assures you that they cannot DL the program multiple times, however this doesn't stop them from distributing it themselves. That is where the Serial's that FalconHawk also mentioned. Again, the serial can be shared with the DL if they are distributing it- these are called "warez". In your code you'd have to make it check in with your servers to make sure that only one person is using it if that is all it's licensed for, and then you need a way to track that as proof- IP address's aren't good enough, you'll need to derive a key from the machine itself in order to uniquly identify it... it's quite a task to make sure that only 1 single user is using your code.

Your question wasn't really about that... you can use your log's on the server, set a cookie to see if the same person comes back, or try the tracking method discussed here: http://www.internetweek.com/showArticle.jhtml?articleID=160400749

RegNow is a very popular site to secure your DL's http://www.regnow.com/ 
They only let you access the URL to DL after they have secured payment. Again, after it's DL'd, it can be distributed, along with a serial number, unless you can derive a unique identifier to associate the pc with. Even then, if someone want's it bad enough, they will crack the mechanism your using for auth, and either "patch" your code to not ask or make contact with your servers for validation, or make a keygen for it.
To defend against these such attacks, or make them very time consuming, read the woodmann cracker sites to show you what they do to by-pass what you do

One of the best "anti-theft" programs out there is for Adobe PDF's- no one has cracked it yet, but this is rare with popular software. It's called FileOpen
http://www.fileopen.com/ this doesn't really apply to your situation
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.


Assisted Solution

FalconHawk earned 1000 total points
ID: 13734057
Rich continued where i stopped at serials with the unique machine ID. This ID is probally a great idea, be it that it still can be evaded. Now, how is such an ID made? Well, to my knoledge (and there are of course more ways) there are 2 ways.

Way number 1 is letting the software generate a long ID at its first startup, store it, and then combine it with a serial. You already see the catch? The serial is generated on the machine, and so the correct serial is always trackable if you see how an ID and a serial is combined. Besides, you cant really track any illegal serials, since you have no data about who is who and if its a legal serial. Of course you can let your site generate and sent the keys, but real safe it isnt. Granted, its safer then just entering a serial, but once the methode is know, you got trouble.

Way 2 is safer then 1, but still not perfect. In this way, it takes the hardware IDs in your pc, preforms some math with them and then makes it the ID. This way is safer because you always get the same ID. If you ever need to re-download the ID is still the same. With one of these 2 methodes, you are safe from serial sites, and if you make the math  bit complex in methode 1, you can also be fairly sure noone will make a key pass generator.

Is it safe now? NO. There is a third kind of software called cracks. Cracks litterally attack your code and alter it to what they want. In most times, they do this: Instead of letting the software check if its correct, they alter it so that it think its already registered, or that a serial is valid, or that any thing entered is valid. This causes the software to unlock itsself, and costing you people who buy it.

Is software never safe then? No. There will always be hackers. But there is 1 way you can be sure its fairly safe. the problem is that most software manufacturers give out trial versions that cease working after a few days. This is just to easy, since you can just take out the days to have the full software.

THE BEST WAY: The best way is using both methodes. At first, never give away full trial version for above described reasons, but make a limited version(freeware). That way it cant be unlocked since it doesnt have the payed software files. Then if people buy, make a 1 time download link. This link makes sure that only 1 person gets the software. After that they need a machine ID to make sure they dont spread it to friends.

Is this methode really safe? Yes, not completely, but its one of the safest there are. Crack sites downt upload full software, but crack only. This is due bandwith issues, and storage space. Think yourself, an app is at least 2 mb, and having 500 of those apps is a gig storage space, + a lot of used bandwith. And what about a game like Halflife? They are reaching over gigabyte sizes.
LVL 51

Assisted Solution

ahoffmann earned 400 total points
ID: 13734452
think we all agree that there is no way to inhibit software from being decompiled or security mechanisms disabled, you just can make it harder to find serious information by obfuscating things, somehow ..
Well, this does not the question, but it probaly gives you an idea how much resources you need to make things complicated. You have to decide if your software is worth these efforts.

Author Comment

ID: 13740521
Thank you, guys, for your comments.
There are lots of things to consider. I mainly want to provide AUTOMATIC download after receiving payment, and have a record of successful downloads. I don't think I will try to fully protect the software, although the Microsoft dosfuscation(?) tool that comes with Visual Studio seems to help.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question