3

I'm currently developing a commercial Java application, where I'm doing my best to protect it against cracking.

I have couple of thoughts that I wish someone a bit more experienced in the field could help me clearing them.

I'm protecting my software with a Server/Client License System.

Simple explanation of how the License works:

  1. User purchase the software online, and get emailed with hist License Hash.
  2. User download the software, and enters the License Hash provided in the email
  3. Software checks online if the license is used before, if not, mark it as used and link the User's HardwareID to it in the database. Next time user login, the server checks his HWID to the provided License, if not valid kick the user out of the software.
  4. After successfully authenticating, the software downloads and load variables from the server that the software cannot run without.
  5. My software constantly checks the server for variables (step 4) and never loads them all at once.

Communication between Server/Client is made using a secured SSL REST API.

My software is Obfuscated/protected using Proguard.

Is this method good enough as a protection against cracking, if not could you provide some extra tips to make this method better ?

Thanks a lot.

Lambasoft
  • 909
  • 2
  • 14
  • 33
  • can you supply more detail on the client/server protocol? from what you described you can just easily MITM the REST request. – Thomas Jungblut Apr 09 '17 at 16:10
  • @ThomasJungblut I'm using SSL/TLS to protect against MITM attacks. – Lambasoft Apr 09 '17 at 16:17
  • SSL does not solve the problem, I can just install a fake root cert and intercept the REST calls and spoof the response. Ever used fiddler to debug REST calls?:-) – Thomas Jungblut Apr 09 '17 at 16:18
  • @ThomasJungblut I'll be implementing Cert Pinning, and such. I'll do more research on that, maybe even Triple DES encrypt the response/request. https://github.com/Flowdalic/java-pinning – Lambasoft Apr 09 '17 at 16:20
  • @ThomasJungblut On a second thought, the server variables can be changed often, so what works today wont work tomorrow, and to get those variables, user must provide a valid licence/hwid. I can as well track the sessions on my sever and can easily ban any cracked license. I guess ? – Lambasoft Apr 09 '17 at 16:26
  • @Lambasoft If you can make your code to truly depend on the server (talking about hard-to-replicate business logic here), then it might work. Otherwise hackers can just create fake servers, and crack the application to work with the fake servers parameters (url, encryption keys, etc...). – Tamas Hegedus Apr 09 '17 at 16:46

1 Answers1

6

The only 100% proof way against crack is to move the whole business logic to the cloud. If the application is running on the client's computer then it can be cracked. The only question is if your software is interesting enough that hackers will spend time with it.

It sounds like you already use an obfuscator, moved some of the data to the cloud and are obtaining it on-demand. I would say you are already protected against entry level hackers and some "IT specialists". I wouldn't spend more effort on it, if higher level "hackers" want to crack it, they will. No matter what encryption you use, the keys (and the used algorithm as well) will be in your application's memory, so those can be obtained.

Modern DRM tools work by stripping important parts of code (not just variables) from the released binaries, and obtaining them on demand from a server. They try to provide such code for the gaps that will only run on the machine of the specific customer (for example by compiling the code for every different processors on the market, making sure that the code won't run on other models), so collecting all the missing parts for every possible hardware is impractical (or at least takes a long time). But this is hard to achieve using Java.

One more thing you should consider: change the licensing algorithm with every release, and do frequent updates. This way real customers get the new features and bugfixes seamlessly, but people using cracked versions will either have to search for new cracks every time or stuck to the older versions. Eventually some of them may decide to buy the software just to avoid inconvenience.

Tamas Hegedus
  • 28,755
  • 12
  • 63
  • 97
  • 1
    Your answer touched me on emotional levels. Never I have been answered online and even IRL with such an explanation! Thanks a lot Tamas, your answer is what I really needed. – Lambasoft Apr 09 '17 at 16:46
  • 3
    @Lambasoft You are very welcome. I truly believe that there are many people on StackOverflow who are eager to help, I hope you will get good answers for your upcoming questions. – Tamas Hegedus Apr 09 '17 at 16:48
  • Just another thought here: if somebody breaks into your cloud, then your secrets might again be stolen. There have been examples lately where simply steering your browser within a VmWare session ... was enough to **break** out of the virtual machine; and gain control over the hypervisor. There is no such thing as 100% protection. Maybe you can get close to 100, but not easily ... – GhostCat Apr 09 '17 at 19:11