How to create License for my Java Software?

PeakGen picture PeakGen · May 11, 2012 · Viewed 41.6k times · Source

I am having a very big problem. That is "How to Create License for my software".

OK, Think this is my License key - 12345YW

when the user enter this license key , the software should allow him to use the software. All right, once the user enter the license key, my software must remember he has entered the valid key, right?(because from next time onwards, it don't have to prompt license dialog) My question is, How can I make my software to remember the user had entered the license? In windows based apps, what most of they do is entering an entry to the windows registry. Can I do the same? (Then what about Ubuntu and Mac?)

I thought of writing a .txt file so m software can read it and find whether license is entered or not. However that is the most secureless system I can think of.

So, if I enter the above license key, how can I make my software to remember it? I am really glad if you can give me a code example too (i.e: I don't know how to edit the registry, in case of windows registry, etc). Please help me...

Answer

Neville Kuyt picture Neville Kuyt · May 11, 2012

Licensing software is not yet a solved problem - or at least, doing so securely, without inconveniencing your users, and without investing in major infrastructure isn't solved.

The location/mechanism by which you store the license status is mostly irrelevant - the registry is no more secure than a text file - it takes seconds to get access to the content, and "hiding" the entry in some remote backwater of the registry doesn't do much to help.

Presumably, your software has some kind of persistence thing going (database? file system?); you can use that same persistence mechanism to store the registration status.

Of course, anything your software can read/write can be accessed by people trying to get unauthorized access to your software. So, you can encrypt the record; then you have the problem of managing the key for that encryption mechanism; afaik, there are no robust solutions to this right now.

So, then you might have a "license server" on the internet; your software might read a unique identifier for your machine (MAC address for instance), send it to your license server, and have the server return the license status. Again, this is pretty trivial to circumvent, and now you're requiring your users to be online to use your software.

If your software is remotely attractive to users, hackers will break the license key protection in days, and post detailed instructions on the internet. Apple go to extraordinary lengths to protect the software on the Iphone/Ipad, and yet jailbreak apps unlock them.

In my opinion, unless your software is worth revenues of tens of millions of dollars, you should make life as easy as possible for your users, and not worry too much about the security aspect - use something off the shelf (like @bunting recommends), or settle for a text file.

Specifically, I would:

  • check for the presence of a valid license file at application startup
  • if license file is not present, ask the user to enter a license key
  • compare that key with your license key
  • write a "valid" file to the file system, in your app directory; alternatively, modify an existing config file.

This is trivially easy to break; so you could go one step further.

Firstly, Java apps are easy to decompile, and an attacker could easily read your "license" constant. You should use an obfuscator to make this difficult (though not impossible).

Secondly, you could encrypt your local license data; this too would make it harder for the totally casual hacker. You could include some local data in the encryption scheme so a hacker couldn't just re-distribute your application with a working license key (e.g. by multiplying the license key by the MAC address of the machine).

In both cases, you're "hardwiring" the license into the app; there are bulletin boards where hackers post license keys for applications, and you would not be able to respond other than by issueing a new version of the app with a new key.