twotoed wrote:
Hi,
Does anyone have any experience with/suggestions for using a webservice for
product licensing?
What I have in mind is something like where the client app sends their
product key to the webservice for validation and the webservice then return
the validation result.
Good idea? Bad idea?
What if the program checked for a valid license every X times the program is
run? I don't want it to be obtrusive to the user but I would like it to be as
secure as I can make it, after all, this is the coolest program ever. ;)
I'm 99% new to webservices so all comments are appreciated.
Well, like many other protection methods it has its share of problems.
If you're doing this, you would have to use encryption and/or digital
signatures otherwise people will be able to easily understand how it
works and "forge" valid answers - and then you run into the usual
cryptography issues like how to protect your encryption keys and such
(using the DPAPI could be a solution)... Eventually it can become a bit
complicated.
The other big issue? Most users nowadays use some form of software
firewall that will easily (and perhaps by default) block these requests.
There are other ways which could be used to block it (like adding your
server's URL to the hosts file) And there will be people who will want
to use it on standalone PCs (with no internet access). What do you do
then? Some people don't like applications that need internet access like
that for no apparent reasons either (privacy concerns or otherwise).
There is no perfect protection. This can be used in combination with
other methods (obfuscation, exe-wrappers, encrypted licenses, etc). All
can be defeated, it's just that some take more skill and time than
others. The best way to protect your software nowadays seems to be
adding a fair amount of hidden/random license checks that crackers will
most likely miss (like say, if Microsoft word would have a 1/3 of a
chance to check your key every time you spell checked or such). You can
perfect it by doing these at the middle of other operations (not right
after a button click but say, how about doing that license check at the
middle of a "file save" operation or such?). Toying around with multiple
copies of those licensing numbers in memory can make it more complicated
for them too (run those random checks off copies)...
There are tons of things one can do, but almost certainly (if you
application becomes popular) someone or some group will crack it. You
can't really prevent it completely, but by adding those hidden checks
that most will miss, you sort of provide an incentive for people to buy
it (well, if the price is reasonable) - the buggy/bad cracks will be
frustrating. I find that using those extra checks (not just initial/on
program load checks) with obfuscation and a healthy dose of encryption
works pretty good - add some exe wrapper if you want to... Or for the
lazy there's some pre-made licensing components. Some are good, but
often you'll see that it's not enough to stop skilled crackers anyways,
and there may even be generic unwrappers/cracks/loaders for some of
these protections.
Anyways. There is no perfect protection...