2

I inserted in my GUI python code the following lines

if time.time() > 1408492800: # 20-Aug-2014 at midnight
    disp("licence expired!")
else:
    root = Tk()
    app = App(root)
    root.mainloop()

Is that secure? Is there any other way to prevent people using the code after the 20th of august? Is any other way people could find a workaround on that?

I forgot to say that I'm going to compile than under Windows.

Nicholas
  • 1,915
  • 31
  • 55
  • are you going to provide the source code in your delivery? – Aprillion Aug 03 '14 at 13:11
  • 1
    Isn't `time` just using the system clock? They could just change the system clock to get around your check. – ydaetskcoR Aug 03 '14 at 13:11
  • @Aprillion of course not.... – Nicholas Aug 03 '14 at 13:12
  • @ydaetskcoR :(, so there is another way? – Nicholas Aug 03 '14 at 13:12
  • You'd have to check against a remote server that the user has no access to. This could be your own or some other server but you'd have to be able to trust it. – ydaetskcoR Aug 03 '14 at 13:13
  • 1
    I think in a python app, it would not be hard to get around no matter what you do. – Padraic Cunningham Aug 03 '14 at 13:18
  • @PadraicCunningham ok, don't think that highly trained hackers like you are going to use that code. – Nicholas Aug 03 '14 at 13:19
  • lol I am certainly not a highly trained hacker but it is very easy decompile python bytecode to get the source – Padraic Cunningham Aug 03 '14 at 13:20
  • @PadraicCunningham mmm that is not nice, hope people will start decompiling my code under its beta tests... – Nicholas Aug 03 '14 at 13:22
  • i think you would have to send a public license key from the app to your server and establish license validity on the server and send back a 1-time-token to compare against a sequence of tokens stored in the app to be truly secure. but checking time against system time should be good enough against good-willing and/or unskilled users – Aprillion Aug 03 '14 at 13:28
  • @Aprillion Thank you for the hint. I wouldn't have any idea to accomplish that (if you have some helps perhaps I can try). At the moment I'd go for the checking machine time and I'll write a good license agreement. – Nicholas Aug 03 '14 at 13:32

2 Answers2

0

The time module uses the system clock so this could easily be circumvented by changing their system clock to use your application. This will, in fact, likely be the first thing a user will try when a licence expires on them.

To stop them circumventing your check you would need to check the time on a trusted remote server. This could be your own or another remote trusted server that will provide the time on request.

ydaetskcoR
  • 53,225
  • 8
  • 158
  • 177
  • Since I don't have a server on my own, is it possible to grab the time from a website and use that? For example like that: http://www.epochconverter.com/epoch/clock.php – Nicholas Aug 03 '14 at 13:18
  • of course that's not the first thing a user will try when a license expires. not everyone wants to risk to use illegal software (assuming license agreement is well written) and if they are willing to do so, it is just as easy to set up a reverse proxy that would send back spoofed response with wrong time – Aprillion Aug 03 '14 at 13:21
0

I think I found a nice workaround to my own problem using the following post adapted for Python 2.7 Get webpage contents with Python? and the webapp http://just-the-time.appspot.com/?f=%Y%m%d,%20seconds%20since%20the%20epoch:%20%t as follows

# find the current time
try:
    pagina = urllib.urlopen('http://just-the-time.appspot.com/?f=%Y%m%d,%20seconds%20since%20the%20epoch:%20%t')
    tempo = pagina.read()
    real_time = tempo[35:48]
except IOError:
    exit()

if (time.time() > 1408492800) or (float(real_time) > 1408492800): # 20 August 2014 at 00:00
    disp("License expired!")
else:
    root = Tk()
    app = App(root)
    root.mainloop()
Community
  • 1
  • 1
Nicholas
  • 1,915
  • 31
  • 55