5

Eventually (fingers crossed) I would like to see my application on the market. I envision selling my application with timely licenses (monthly, annually, etc.) and only allow user access if they are within the confines of their license. For example, if I were to purchase a one month license of my program, after 32 days have passed from the purchase date I would no longer be granted full access to the application.

Some things I have thought of:

1) Writing / reading to registry keys (not recommended) - In this scenario I would create a registry key using encrypted information regarding the customer's purchase, and have my application check back and forth with registry, checking to see if the user has exhausted his license.

2) Reading from a web page (secure? NO!) - I was thinking of constructing a table, which would include information regarding all of my customers (Customer ID, license purchased, date purchased, etc.). Again, this information would have to be encrypted / decrypted which is not a problem at all. What if, though, the customer turned off their internet connection?



What would you all say is the most efficient AND most intelligent method for storing / reading customer information?

Security is key!

Thank you, Evan

  • There is a related topic here: http://stackoverflow.com/questions/453030/how-can-i-create-a-product-key-for-my-c-app – Alireza Maddah May 21 '11 at 14:19
  • And don't forget to [obfuscate](http://en.wikipedia.org/wiki/Obfuscated_code) your code. – Searock May 21 '11 at 14:32
  • @Searock do you know of any programs that obfuscate could that you would recommend to me? –  May 21 '11 at 14:34
  • I haven't really tried obfuscating my code, so I'm sorry I can't suggest you with any tool. May be you could find a good one by searching in stackoverflow. – Searock May 21 '11 at 14:52

1 Answers1

7

The most efficient is to give up on creating a totally secure application. Anyone that really wants to break the security system will be able to do so, for example by decompiling the code and commenting out the license checks.

I would go with a simple storage in the registry or in a file in %appdata% (e.g. storing all the purchase details in plain text form, together with a checksum value in a DWORD field). For most users it will make it easier to pay than to try to break the security.

To really protect the app from someone who wants to break it you would have to place some essential part of the application's logic in a web service, on servers under your control and then make all clients use it. Note that it is not enough with having a web service that the app just checks validity with, the web service need to perform an essential operation that the program won't work without. Then the "only" issue left is how to authenticate and authorize clients to use the web service and handle the issue that the app needs internet access. You also have to take into account any privacy/secrecy issues with the data transferred to your server for calculations.

Such an approach is hardly ever worthwhile, unless you have a really secret, valueable algorithm to protect.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • Wouldn't any user monitoring his computer find any file that I created in APPDATA or any other directory? –  May 21 '11 at 14:25
  • 1
    No algorithm is this valuable. Users will pay more money for your solution if it is easy to use. They'll be more likely to look elsewhere or do without if you implement draconian licensing. – Cody Gray - on strike May 21 '11 at 14:27
  • I am not trying to block 100% of users - we all know this is an impossible task. I want to block the largest amount of users possible without being too annoying to paying customers. I want to create probably three SECURE checks. –  May 21 '11 at 14:33