There are sites on this site that sell their products - jar libraries, as some offer, for example, a 30-day trial period. The question is, who thinks what, how they protect their product? What prevents me from disassembling them either (except laziness and conscience)?
- Conscience - lack of protection?) In this case, I can offer another reputation and the threat of liability for violation of the license. - Sinitsyn Artem
|
4 answers
There is a license checking mechanism with online access. For example, as it is implemented in the Android market and similar markets: Amazon, Samsung and others.
- There is an application that controls the application (let's call it a controller) - for example, Android Market
- The controller has 2 services a) Network service access to the license repository on a remote server. b) Local service to which the installed application can apply with a request to verify the license
- When launching the application, the application requests the local controller service request to verify the license. The controller accessing the server checks the license and returns the result.
The advantage of this method is that the installed application may not have any network permissions, but simply calls the controller service, which does all the work, and the application does not require obfuscation, a custom class loader, and so on. The disadvantage is also clear - a controller is required. In the case of a desktop, this is hardly realizable (although there are also examples - the same Steam ), but in the version of the mobile axis everything works fine, which is also indicated by the success of various appstores on Android, iPhone and so on.
The Android Market Controller software API is known as License Verification Library (LVL) - description here
Barmaley barmaley
67.4k 6 57 134
- And why not obfuskatsiya required? Is the code unavailable? - Dex
- LVL is bypassed by editing only one byte, since it is not part of the OS, but is implemented by means of a plug-in library. Other analogues are also not too difficult. - falstaf
- I'm talking about protecting a simple jar, not an app ... - Gorets
- Well, as for the 1st byte, I'm not sure, because everything depends on the skill of the software developer who writes the license check. And besides, in the case of a detour, there will be no update, there will be no possibility to buy additional online. functions and so on. - Barmaley
- oneMaking the license check always accept the status LICENSED (0x0) instead of NOT_LICENSED (0x1) as input - there is no problem. Finding this place and fixing it is not a problem either. But to protect against this, i.e. protecting and / or hiding verification code - see my answer. So your answer is "the application does not need obfuscation, a custom class loader, etc." somewhat incorrect. For an application that uses only LVL / analogs for protection is not protected at all. - falstaf
|
Obfuscation + check checksums / hashes of .class files stored in jar.
Also, as an option - bytecode generation in runtime, based on some data (license key, for example).
Encryption of bytecode with loading through its ClassLoader.
Something else will be hard to come up with, for it is Java.
falstaf falstaf
9,284 9 sixteen
- it's all clear, is it possible to give access for a while? those. Jar for a week, for example?) - Gorets 4:08 pm
- Sure why not. - falstaf
|
A jar file is a simple archive that contains a set of class files. which in turn are a primitive instruction set for the JVM. the latter means that they can always be decompiled (as long as the JVM specifications are publicly available). Personally, this reminds me of the situation with machine codes and assembler.
I would not give a stranger themselves, it is better to use something like EJB, when the client has only an interface, and the functionality itself is in a different place.
if there is a performance problem, then the client needs a local server (it makes sense to make it dependent on the platform but protected) that will pass authorization on your server, download the latest versions, or perform the functions of an application server. It is clear that the contents of the classes / jar files must be linked to the current date and the client, must be transmitted in encrypted form, and is stored only in memory.
jmu jmu
6,042 ten 21
|
you can protect the jar
Imby imby
one one
|