0

Have done some research and found some stuff that may be helpful. I would like your opinion about my approaches on this.

THE GOAL

I will develop an application in PHP (That's the only language I know and unfortunately I don't have time to learn another one right now). I want this application to be able to run offline and locally to any pc. I will use Wamp server and cakePHP framework for this.

THE PROBLEM

This application will be for sale. So I will need some activation method to prevent each app from being used in multiple computers. I don't want something complicated or very very secure. I just need something simple, to prevent non-programmers to run this app in any computer. Of course, the more secure, the better! :)

POSSIBLE SOLUTIONS I AM THINKING OF

First of all, I am thinking to force users to activate their application, by going online during installation. That way they could get a unique KEY from my online database.

I found php's shell_exec command. So I am thinking, during online installation, to get the Host ID (Machine ID) of that computer, send it to my server and store it to my database next to a unique KEY. Then Machine ID and unique KEY can be stored to a php file. (Could I store it somewhere more secure? Maybe encrypt it?)

Every time the user opens the application, php will read machine ID. If not the same with the one stored in php file, an activation will be required. (Maybe could store computer's name too or some other id?)

Is that a good approach? Would it be possible?

Another approach I am thinking of, is to have a guy create a non php installation file. When run, will promp wamp installation and when installation finishes, will transfer all necessary files to wamp root folder (automatization for the user). I can only guess though this will work, as my knowledge over other languages is limited...

Could I benefit from this in validation terms? Can a non php file interact with my php application and validate it, for only one unique computer?

Any info will be very appreciated. I have just started building the application and want to know if there is a good way (or non) to secure it.

Thanks!

m.spyratos
  • 3,823
  • 2
  • 31
  • 40
  • 1
    PHP isn't compiled so unless you plan on encoding it, everyone will have access to your source code. I think it's time to learn a language more suited for desktop application development... – Jeremy Harris Mar 27 '12 at 00:09
  • Thank Cillosis, but at the moment php is my only option. As stated I am just seeking for minimum protection, from non-programmer users. Or maybe best protection with what I have. – m.spyratos Mar 27 '12 at 00:58
  • Code is scary to non-programmers. Just sayin. – Jeremy Harris Mar 27 '12 at 01:03
  • I agree! But I don't want them to just copy and paste the files to another computer and have it working. I want to make this as difficult it can be. Not impossible/Not peace of Cake. Just looking into approaches. Thanks again! – m.spyratos Mar 27 '12 at 01:11

1 Answers1

0

There is no point in all of this because if people want they can simply crack any of the copy protection methods you came up with. This also applies to any other app written in any other language. If people want to use it without permissions there are ways to do that.

There are some ways to obfuscate the code (see Is there a code obfuscator for PHP?) but these solutions are just silly because if people really want they can get the code in plain text anyways.

A better idea might be to run the app on your server and allow people to pay for it monthly, Software as a Service like Google Apps for Business.

Community
  • 1
  • 1
floriank
  • 25,546
  • 9
  • 42
  • 66
  • Thank you for your answer Burzum. I believe though you didn't read my whole post. I know there isn't a perfect protection, especially with php. As stated and wrote to Cillosis, I am just seeking for minimum protection, from non-programmer users. Or maybe best protection with what I have. Thank you again for taking the time to answer, I found it very useful. Maybe check it as correct in a few days. As for online app, I thought of it, but really don't want to limit customers to be online. That would be a huge downside. – m.spyratos Mar 27 '12 at 01:04
  • This is still pointless. I don't know what you plan but it won't be hard for "non programmers" to find a "programmer" to work around the "protection". If you really want to rely on stuff that could be fixed by anyone with just a little programming knowledge you can do what you want and check if the hardware matches a given hash. But any php kid can find and remove that withing minutes. – floriank Mar 27 '12 at 23:25
  • This application won't be "famous" and won't be expensive, so I believe programmers won't care too much to gain the code, which by the way won't be so difficult to create anyway. Mainly it's just a database to save customers and their actions. Also I don't think someone that is intrested in bying it will hire a programmer. It will propably cost him more that the actual app. Could you tell me how I can check if the hardware matches a given hash? I am also seriously considering to make this an online app as you suggested in first place. Thank you for your help. – m.spyratos Mar 28 '12 at 06:46
  • It depends on your system (win or *nix) there are different and plenty of tools available for any OS to read hardware information. Just search for how to get the cpu id or mac address of a network card. I would still go for an online service. If your app has a solid API it might be an even better idea. And your client wont need to hire a programmer, as I said, any kid who can read will be able to find and remove a simple string comparison like if($cpuId == $licensedCpuUid). – floriank Apr 09 '12 at 17:21
  • The only reason I am afraid of an online app, is the sensitivity of customers information. Like name, address, birthdate, items bought, ...etc. Even if security is really high, the risk exists. Anyway I started building the application using cakePHP framework. I will strictly follow cakePHP's "rules", so the app will be as secure as possible. Thanks again... – m.spyratos Apr 12 '12 at 17:30