1

Is there a secure solution for Java apllications to bind them to a specific user or computer eg by using the MAC adress (unsafe because can be changed?) or any other hardware specific data?

We dont want to create hardware solutions like usb sticks / dongles bu need to check if the user of the software is allowed to use it.

Generally which is the best option against software piracy?
Always-online?
Server-check?
Using hardware data for identifying?
...

  • 5
    *Which is the best option against software piracy?* Make it free software :-) – JB Nizet Dec 30 '12 at 15:42
  • This is not a real option for a small startup or company going opensource, ok you can charge money for support but thats often not enough for the beginning. –  Dec 30 '12 at 15:45
  • I understand that. It was meant as a semi-serious joke, hence the smiley. – JB Nizet Dec 30 '12 at 15:57
  • No problem =) Outsourcing at a later point is indeed planned and a real option but not now. –  Dec 30 '12 at 16:02
  • The most appropriate solution to this will also depend on factors such as the size of your customer base, how many support calls you can handle, whether your software is or not a target for crackers (usually highly priced products are). – izilotti Dec 30 '12 at 18:25

2 Answers2

0

Using a combination of local system identification and an online check has worked effectively for me in the past; the two are perhaps not mutually exclusive. You could obtain various system related properties by using one or more of the following methods:

System.getProperty("user.name");

System.getProperty("user.home");

System.getProperty("os.arch"); // the operating system architecture

System.getProperty("os.name");

System.getProperty("os.version");

These details could be then hashed using the java.security.MessageDigest package and associated with your users account on the server. Authenticating the user and machine would then be as simple as having your client software send the resulting hash to the server as part of its start up routine.

Giles Thompson
  • 1,097
  • 1
  • 9
  • 24
0

One popular trend is when the software checks license validity on startup (or regularly) with the central server. This way you can revoke a compromised license. There are probably a number of services that will manage these licenses for you, I saw Esellerate used.

At the same time, any protection you add to your Java app can be easily reverse-engineered or simply overloaded, unless you go to great lengths obfuscating and securing the code. It is a very hard task and the results may not be worth the effort.

Some companies (e.g. one where I work) do not go to great lengths beyond basic license generation/verification code. A combination of trusting customers honesty and providing support only to valid license holders works well.

Vitaly Osipov
  • 1,036
  • 6
  • 14