A Java program has been developed and now its copies will be sold to customers.

Each client is given a unique key for the program.

Objective: to prevent the distribution of copies of the program without paying a license.

It is planned on the hosting to store data that the program must pick up in order for its algorithm to start.

Question: how to implement the exchange with the hosting so that the program receives data only in exchange for the paid key?

  • raise the machine, put the server, the client calls the server and asks, and am I correct? the server looks in a DB and gives the answer. The simplest thing that came to mind. and of course, it's easy to get around - Senior Pomidor
  • And is it possible to determine by poppy address? Or some other way to select a specific user and allow him to read the file? - Vladimir
  • You can do authorization, but here you need access to the server. Poppy is not a good idea, because poppy can be changed and work as with a license - Senior Pomidor
  • The program collects some data about the hardware of the machine, on this basis generates a key and remembers. Next, the user enters his key, there is a comparison. If there is another car, then the key will be different there and will not work. Plus: you can not use the server, minus: the client will have to work on the same machine. - Pollux
  • And if on the same computer, the customer will change something from the bundle? - Mikhail Rebrov

4 answers 4

Everything that is done on the client is a priori compromised, no one can be trusted with any "mega-encryption". The only way I can protect a program is to not give it. Give access only by API with pre-authorization to a specific user, that is, to make the client application useless without data and hidden server logic.

    The first thing that comes to mind is something like Denuvo , but, as practice shows, this technology does not guarantee 100% protection. And it seems to me that you will lose more than you gain.

    The best and proven solution in my opinion is to transfer the logic of your application to a remote server, and use accounts instead of a key. In this case, the client application will be able to do only what the server will allow for this account.

    Of course, nothing prevents you from transferring an account to someone, but you can minimize losses, because have more control. For example, you can block a user, if several clients are simultaneously authorized under one account.

      A Java program has been developed and now its copies will be sold to customers. How to implement the exchange with the hosting so that the program receives data only in exchange for the paid key?

      And you could not think about it before developing?

      Well, it's still a matter of void.

      This is done like this:

      1. There is an authorization server that, when you buy a program, gives the device a token
      2. A program with a token in the teeth knocks to the server where the data is stored.
      3. The server takes a token and accesses the authorization server and asks - is there such? If there is data, if not - sorry.

      This is an extremely general scheme, which should be modified / complicated as follows:

      • The token must be encrypted on a device with a key that is generated using a device identifier, for example, HardwareAddress
      • The token needs to set a lifetime - say once a week, that is, a week later the token is regenerated to a new program that updates its token.

        To protect our software, we use Hasp keys, in particular, from Sentinel.
        In the SDK, there is a utility that wraps your binary / dll-so / jar with its wrapper, making it so that without the hasp inserted into the PC, the application will not work. Also, their wrapper complicates reverse-engineering code. They have a powerful API that allows you to independently do the protection while working with the Hasp-key capabilities, but we still lacked a standard solution. They also have network solutions when licenses are distributed through a certificate authority, and there are also so-called network keys.
        In Russia, they are represented by SafeNet
        I think if you look at their proposed solutions, you can find the right one for yourself.

        PS> Please do not consider this response as an advertisement, we have defended not one of our products with their solution (including under ARM) and we are more than satisfied with the results.