1

I am developing a desktop app and I want to start selling it at some point, so I start to put the license data (ex: Start date, license duration, etc...) in an encrypted file, during the runtime of the app it decrypt the file and get the license data to check it.

The question is that is this method enough for copy protection ?

Doicare
  • 361
  • 1
  • 3
  • 15

1 Answers1

3

This question is very broad but the short answer is: it depends on your threat model. Since the application will have to decrypt the file to check its contents, the file will have to be on the client machine (along with a decryption key) so if someone wants to crack it, they'll have a field day with it. (They can just attach a debugger to your process and trace through the code that deals with protection and then just either patch your executable or figure out how to generate a valid license file. Among other possible approaches that I didn't even think of.)

If you're serious about protecting your software and you think your program will be so popular that many, many users will try to pirate it, buy a professional solution - you'll get professional advice on setting it up and the protection will likely have been tested already in other products.

If that's too expensive, re-evaluate whether you need copy protection or not. Most home-brewed schemes can be cracked in short order and they'll end up annoying your legitimate users and it may turn out to be a major headache for you. You'll have to support your protection scheme and keep it updated as your product evolves. Keeping licenses backward compatible while being user-friendly and hard(-ish)-to-crack is tricky.

A possible solution is to perform an over-the-internet license check but that has its own drawbacks and it's not cracker-proof either. If you're committed to rolling your own protection scheme, be ready to write a lot of complicated code, all in C or C++. (C# can be decompiled with free, open source tools.)

Before you do that, ask yourself: wouldn't your time be better spent on new features instead of licensing code that doesn't improve the application itself?

xxbbcc
  • 16,930
  • 5
  • 50
  • 83
  • Thanks for ur answer. Another question please, will it be better to use asymmetric encryption instead the symmetric encryption? To explain more, I need to send to the client an encrypted file that contains the license data, so the app will decrypt it using a public key. the threat model here is that the public key could be extracted from the app files (using .net reflector for example) and used to regenerate the license. – Doicare Jan 22 '16 at 01:51
  • @user3724116 If this answer is useful, please upvote it and accept it and post your subsequent question as a separate question, not a comment, so that others can see it and attempt to answer. You can link to this question from the new one if you want to add more context. – xxbbcc Jan 22 '16 at 16:48
  • @user3724116 The quick answer is that asymmetric encryption has your private key on the server and you can encrypt data with it. Clients will have the public key of the key pair and clients can then decrypt the file. The public key cannot be used to encrypt any data in your name. You should probably post this question on http://security.stackexchange.com/ to get answers about it. – xxbbcc Jan 22 '16 at 16:51
  • Thanks again for ur detailed answer. – Doicare Jan 22 '16 at 19:44
  • @user3724116 You're welcome - I'm glad it was useful. – xxbbcc Jan 22 '16 at 21:24