I've been thrown in at the deep end a bit here, as I never expected I would have to do something like this and I have no idea where to start; so I'm helping somebody will be able to help me (ideally by providing some java code)...
In my effort to protect my Java software from piracy I have found that it is completely impossible unless I continusely check online - so thats what I want to do. Only, the only details I know are that, my program needs to communicate with some sort of script online and verify the licence key the program is using and then report back accordingly.
However, that's all I know - I am still stuck as to what the server side actually consists of. I'm hoping that the fact I am not hosting the website myself (an using JustHost) will not stop me from being able to do what I need.
So basically, I would like some help in creating a setup that allows my prevent anyone from pirating my software while connected to the internet. I though about having something like a login system; the users licence key would act as a username and password, but to be honest I really have no idea because if I did it that way would have to manually login and logout each time they wanted to use the software.
And not to run before I can walk but what happens when the user is not connected to internet? Even worse, how do I tell if somebody has stealed an legitamate users licence key? etc.
Thanks in Advance,
Andy
PS If it helps, I plan to use PostgreSQL (or maybe MySQL) and I am not paying for a dedicated server with JustHost.com...
Once your code is on their machine they can modify to simply ignore your checks. You can make it as hard as possible but it will never be hack proof.
In general your question is identical to this one which has some good discussion.
Try to delegate part of your business logic to server side. This way some core processes can not complete unless the application license is valid. Of course, if you have some logic that can be delegated. If your application is client-only than this approach is a bad choice.
If your application will be sold for a lot of money, try implementing solution using HASP key approach (which is investment by itself) instead of server authentication I understand this is not what you asked, I am just giving another idea.
try to create security by obfuscation/encryption and you will fail if your application becomes popular, since there will always be someone who will crack it in 5 minutes :(
Related
I am a student and would like to webscrap a school site to get my assignments that aren't done yet. I already figured out how to webscrap the site, but I want to be able to see the information on my phone, so I used the java server socket docs to create webserver but I don't know if it's safe to even do that. The information is not sensitive so I don't care if anyone online can see it but I am worried that I might be unwillingly setting myself up to getting hacked. I would like to know if this is stupid idea, and a better and safer alternative exist. Also if someone could give me tips on how to making if safe if that is possible.
PS. I chose to try to create a webserver instead of just buying hosting because I don't have money, so buying hosting isn't an option. thx
I have googled a lot in the past few days, including how to create a secure webserver with java etc. and also if serversockets are safe but the results are inconclusive. Most say it's better not to even attempt as security is super hard, and others say serversockts are safe.
I need to add something that generate an activation code in my android app so the app features should work only if the app is activated. what is the best way to do that ?
If I understand the question correctly, what you want to achieve is technically impossible.
Any functionality your app has is already there in the app, downloaded to the client. A user can use a debugger to disassemble the app file and change your source code to either not require an activation code or accept any code (whatever is easier, but both are possible). Anything you give to a client should be considered as being fully controlled by the client, any logic in there can be changed, secrets can be seen, etc.
This may not be straightforward, especially if you use some kind of an obfuscation, but it will always be possible. The question is only the effort needed.
And the effort is key here. In some scenarios, protecting low-value resources, it may be good enough to deter the lowest profile attackers. It's always about risk and the cost of protection. But you need to be aware of the above, that the logic in an app cannot be protected.
So if you want to protect your stuff, you have a few options for different scenarios:
Have two separate apps, one free without paid functionality included and one paid. Users can use the free one and then buy the other if they want.
Have paid functionality served by a server. If critical business logic is on the server side, you can really enforce access control rules and you can maintain control over who has access. This may have serious implications on your app architecture and functionality though.
If the value you are trying to protect is low, you can go for obfuscation and access control logic in the app as mentioned above, but you need to be aware that this can be cracked relatively easily, especially on Android by changing the apk.
I believe you cannot do this with just your app, you definitely need the help of server which would generate an activation code for you and match it with the logged in user. Once the generated activation code is passed on to the user via email or any other means, then you can match the activation code given by the user and then match with the one in the server and if they match, let them use the features.
I hope this is what you want. But I might even be dumb enough to misunderstand you. Let me know if this is what you want.
My client wants to setup a script/file in Ubuntu in one of my client's contractors system to monitor his work/sites visited etc as long as he is in office.
His contractor will have root access in the system, so how can we make sure that the file cant be changed ? Deleting wont help him as his boss will know that because he wont get the online reports anymore after deleting.
But he can change it to the way he wants. Actually, we can write a java.java file or python or some program file but I found that even java.class files and python.pyc files can also be decompiled.
So, he can easily know the program and can easily change it.
So, any solution for this ?
Assuming you have legal issues taken care of, your only hope seem to be Encryption and Security through Obscurity.
Go for languages which are tougher to decompile, such as C/C++ (see this)
Ensure that you collect a lot of data, and store all the data encrypted so the client cannot directly access it.
Try and obsfucate to hide away your encryption keys, as well as the encryption algorithm.
Send the data from the contractor's system to the server encrypted.
Possibly also monitor whenever the contractor killed your process.
The best solution would be not to do this.
Now I don't know about your country's legislation, but in mine, any solution of this sort would be highly illegal. If the client is worried about the contractor, there would be other means of "monitoring" them.
Daily reporting
Set up a proxy blacklisting sites, possibly enforcing it over network tools
Actually meet the person and talk with them about their achievements, difficulties and such. Not inquiring, actually caring about how the project is going. If that doesn't motivate the contractor to work, nothing will.
I'm in the process of developing an application that uses client side code (js to be specific), which needs to be secured. I.e. so that a user cannot steal the code and reuse it. Obfuscation is not an option, as I need the code to be fully secured (with encryption). After extensively scouring the internet for a solution that allows js encryption I have come come to the conclusion that this proprietary code can only be executed server side to ensure its security.
Does any one have any other ideas or solutions, that would relieve the server from having to process things that otherwise could be done on the client with js. Executing some of the code on the server is an option, but resources are limited. Another issue is that it would need to be something like "server side js" i.e. the user experience is not changed.
If the code is client side, they have the code. Period. That's how the internet works.
If you want to protect it from the end-user, then yes, you need to keep that on the server side. Alas, that will change the user experience. There really isn't a way around that, though perhaps via judicious AJAX calls you can find a happy medium.
Nope, it sounds like you've pretty much got the gist of things. Use the server to process anything that needs to be done securely. Use javascript to display the data sent from the server.
I don't know what application you're working on, but typically efforts to offload significant processing onto the client side involve so much data transfer that the server has to do more work in the long run. Can I ask what kind of processing you're wanting to do client-side?
The user experience would have to be changed for a server-side solution, simply by the fact that you'd be running code on a different box, with a network between the two. The latency will be different. It may be good enough, of course, but it's hard to say without knowing what kind of app it is.
The closest I can imagine is hosting some sort of JavaScript engine within an otherwise-secure application... but you can tell from the state of the games industry's attempts how easy they've found it to make unhackable client code. Basically, if it's going to run locally, the code has to be there to execute... and that means it can be inspected. All you can do is make it harder.
You could encrypt your javascript and then decrypt&eval it on the client side. If it´s a private application, you could use a password for the encryption, so anyone without password could not decrypt it. Otherwise you should make it really complex.
Apart from standard JS obfuscation which is discussed e.g. here: https://stackoverflow.com/questions/2285593/how-to-sell-and-protect-software-that-has-easily-visible-source-like-javascript
this is close to impossible to do.
I would tend to question whether there really is a need to protect the client side code in the first place. What makes it so unique that this is necessary? Any kind of sensitive data manipulation should be done on the server side anyway, as every obfuscation method will always be only imperfect protection.
I have a simple basic program in mind to keep my kids off certain websites for prolonged periods of time.
Basically, I would like to run a little background process that would have something like this :
if (user is on website for > 20 minutes every 24 hours )
{
browser redirect user to specified website
}
I realise I could easily get a third party program that would do this, but I'd enjoy doing it myself ! The problem is that I have absolutely no idea how to understake such a project - or even what languages I could use to make something like this. I have a fairly decent knowledge of PHP and Java and am always learning, so any suggestions for a way to go about this would be really appreciated !
Thanks a lot :)
There is no simple basic program that will do this.
Something like this requires that they are always using the same browser, and that it publishes an inter-process API that allows you to see what websites are being viewed and navigate to other websites. That's a lot of assumptions. Your kids could always use a different browser, or they could kill the process on the system. No matter what software you install on their machine, there is almost invariably a way for them to get around it. There's not going to be an easy way to do it.
The best solution is hard. Basically, it's firewalling. Set up a firewall in your house and put a filter on packets being forwarded. Inspect the packets to find HTTP requests, and intercept them. Log what's being requested and if it exceeds your limit, rewrite the packets how you want.
It might be a better idea to just look for a commercial software that does what you want.
If you are using FireFox, you can probably achieve this with a GreaseMonkey script.
I think you could achieve that kind of feature with a programmable proxy. In the ruby world, there was, during _why's existence, the fantastic MouseHole. Unfortunatly, those times are gone. Nowadays, using Java, I would take a look at things like this document. Finally, you can also take a look at proxomitron.
I see two simple way to approach this problem:
You can write an extension for your preferred browser. Look, for example, at Firefox Building an Extension tutorial.
You can write a http(s) proxy and set your browser to use it.
I do not recommend the 2nd one, IMHO it requires too much work for a simple in-home solution.
Short answer is that this is a fairly difficult problem to solve because of the reasons cited by Erick.
The only way to do it would be to set up something along the lines of WireShark that would analyze all network traffic on the machine and look for requests made to a certain url pattern (facebook) and start a timer whenever it happens. However, there are additional complexities when one wants to say, "I don't want to spend more than 20 minutes here a day" because it's nearly impossible in todays web to define what it means to spend 20 minutes at a site. See this thread on the OS X Hints forums for a helpful discussion on why this is hard. It basically boils down to the way websites do requests for you these days rather than you manually clicking. Of course, if you don't care about the user actually being there, but just giving them 20 minutes a day from the first time the log on to the site, then the problem becomes a little easier.
You could figure out how to write software for your router as one possible project. Using Tomato or DD-WRT gets you the ability to control what's running on your router and would give the centralized access you need to place a sniffer on the whole network (especially if you have multiple PCs you're trying to do this to). Of course, that adds the complexity in of trying to figure out what it means for one person to spend time on the website over against another. If all your PCs are single user then the problems not that hard but if you have multiple users per PC then you run into not even being able to key off of the IP address as a unique user.
If you don't want to program your router, then you'd have to write up a network sniffer and install it on every machine. Something like jNetStream might give you a nice head start as writing a network sniffer probably doesn't qualify as a "simple" program like you thought you were going to write.
Anyway, once you get that set up and running you'd just have to figure out how to hook it into your OS. I doubt any language is really "inappropriate" for that task so have at it!
You need to program a (smart) http proxy server for that. This is generaly considered a non trivial activity. But hey, there are hackers out their who say it can be done:
A HTTP Proxy Server in 20 Lines of node.js Code
(It uses the node.js library)
Just add you're own logic and there you are. King of the proxy hill ;-)