License system for a desktop app

I don’t know where I have to start looking. So I started a “new conversation” :slight_smile:

I want to have some license system for my desktop app. But I want to make sure that a license is not being used across too many machines, to prevent pirates to copy a license file and pass it on to others. So, I guess a webapp might help to keep track of the license keys.

Before reinventing the wheel I was wondering if others have dealt with a similar challenge. If so… what is the best approach? Any suggestions?

I am NOT a lawyer but this is what my lawyer told me… talk to a lawyer to verify…

you need to make sure in the EULA you have clause(s) that say you collect information. Or in some states/provinces/countries you could get in serious trouble.

then send the registration info + hostname? (or whatever you are going to use as a reference to the machine) back to the “mothership” (to a webapp that records it. Make sure that the connection from Desktop.app to the Web.app is HTTPS and not HTTP. Lots of locations require that any “sensitive” data is transferred encrypted.

I would love to say this is the magical formula for doing what you are asking but it is going to depend on what information you want to collect and send back to you. And what you are going to do with the information. And so forth.

good luck!

I have been following RB/RS/Xojo mailing lists and forums for 16 years now. This topic comes up quite often. The advice most often given is: Don’t take extensive measures to prevent copying. Building elaborate schemes to keep pirates from copying your app most always harms the honest user more than the pirate. Unless your app becomes immensely popular, the major pirating operations are interested anyway. How will you identify your paid users? What if a paid user gets a new computer? reformats a hard drive? What if a user is not connected to the web when he/she wants to use your software? If a fairly knowledgable user is motivated enough to copy your app, they will find a way around any checks you put in place. Meanwhile, you risk pissing off many of your honest users.

I am here with what @Roger Clary said. I would do as MS f.e. does, use a Serial and that’s it. No copy protection, no binding to Hardware and so on.

If someone want’s to use your Software without paying for it, they will find a way. If someone needs and likes your Software, they will want to support (read: pay) you.

Thanks Scot, Roger and Sascha :slight_smile:

I am aware of that. I will have to deal with the EULA as soon as I am ready. Maybe I am not storing too much. Just enough to identify the user. So just a name would be enough, I think…
HTTPS is my preferred protocol anyway :slight_smile:

I was thinking of generating an encrypted license file containing a unique ID, unique per generated file that is. This ID along with a serial number and the user’s name can be tracked with a web-service.
This web-service can see if the limit of unique ID’s per user is being reached. If so, the web-service will inform the app just that. It can revoke the “older / previously connected” ID’s. Adobe Creative Cloud does a similar thing.

In the license file a timestamp is generated, each time the app did verify the license with the web-service. When a computer is not connected with the internet, it will allow app usage for a specified time, let’s say a day… or a week… So, if not connected with the internet, the user will still be able to use the app, for a certain time.

Well… I would really love that. But the app I am making now helps me in my professional field of work. And I know some of my clients are very much interested. The thing is. There is a huge pirate world out there, also using similar apps, yet not payng for it. By making my app as cheap as possible, without being too cheap, I want to try to prevent pirating from happening. And I know, there are always those smart guys who will find a backdoor. Oh well… :confused:

That’s why I am here… trying to find answers, and a way that the honest user will have no clue what the licensing system does under the hood :slight_smile:

Did you have a look into pre-made solutions like https://forum.xojo.com/36155-protecting-your-xojo-app-with-quick-license-manager-from-soraco ? Maybe there’s already a perfect fitting solution for you somewhere?

look at this page: https://xojo.com/store/
this pre-made app–> ToringoDRMInfo
ToringoDRMInfo lets you uniquely identify computers via physical hardware information.

just 15 dollars

The thing is, I don’t want to store too many data about the user. As Roger says, I don’t want to piss anybody off, and I don’t want to deal with any privacy lawsuits.

Of course there might be a need for license-key recovery. So an email address might be necessary in order to resend a license-key. A user might need to be able to revoke license instances manually. So, ToringoDRMInfo might help out to identify the machine the license instance belongs to. So, thanks :slight_smile:

I will have to look into what they have. Thanks!

You are probably already in breach of the 95/46/EC and what ever additional requirements the Dutch government have attached to the local implementation of that law. Just because a user agrees to your EULA does not mean that you can collect data on them. You must be able to show that the information is absolutely necessary for your day to day business. Seek proper legal advice if you want to do something like this.

Being remembered because you were prosecuted for retaining customer’s data, is probably not the best way to gain a business reputation.

Well… what about Adobe, and all those companies. Of course they have lawyers who can handle Lawsuits. Isn’t there another way of making sure a user can obtain their license key if they loose it?
Encrypting the web-service’s database will do, right?

I am not a lawyer.
I would argue that collecting the name and email address is absolutely necessary for registration.
You have to collect the name in the process of collecting the money, so for tax purposes I would think it’s considered necessary. The email address is necessary for communication with the customer, and convenient recovery of license.

In my humble, non-lawyer opinion, I think those two pieces of information are considered absolutely necessary.

Also, don’t use hardware locks.
I am very passionate about user experience, and I know that hardware locks do not deter pirates.

They deter Tom from sharing his license key with his BFF Jill. But Jill might not even care about your software if it’s so hard to use (mistaking using Tom’s key for using your software in general.)

If pirates want your app, they will get it.

FWIW it is often more important to conduct a thorough market research to see which sales channels are most appropriate, which prices are practiced by competitors, and if your product has enough features to really compete.

Among distribution channels, the Mac App Store and the Windows Store won’t accept anything like what you seem to be considering. Knowing that today they represent a very significant share of the market, it maybe kind of futile to try to establish Fort Knox in your app.

That said, I do have a licensing system for some of my apps, mainly because I distribute freely the evaluation version, and all they have to buy is a license code. I get the name of the user, and through encryption, come up with a unique 5 blocks of 4 digits that is their license number. All the app does is verify that the code entered is the one calculated from their name.

Calling home and stuff is IMHO overkill.

Like Tim, I pay very much attention to the user experience. Anything that is complicated and can break (like a call home) may impair the ability of the user to use his paid app.

I have no idea if you have already sold desktop software, but I noticed that people who usually insist so much on security are the one who have the least experience of distribution.

I use a method that so far as worked quite well… and while I won’t (obviously) devulge the specifics … here is basically what I do, and it is all self contained on the users computer, and I collect zero personal information.

  • when the app is run for the very first time, it creates either a file, or an entry in the registry/plist (up to you) that contains a UUID, a random serial number, a password (set initially to blank) and other bits of information such as install date … This entry is encrypted.
  • each time the app runs, it reads this data, runs the password thru a proprietary algorithm which returns what the serial number should be… if they match, it is a registered version, if not its a trial version (which you may expire based on the install date)
  • to register, they send me the serial #, which I run thru a mirror of the above algoritim and send them back a passcode, which is then saved into the encrypted record.
  • moving this record to another computer fails, as some of the bits refer to the computer itself…
  • deleting this record, reverts back to trial verison

Is it perfect? no, nothing is…
Doe it work… so far it has worked just fine.
How to implement? I’ll leave that up to you… it took me over a year to perfect this…:slight_smile:

I should add that I believe tying an app to one single machine is abusive. We all have several machines. Most often desktop and laptop. It is normal to install the app on both, especially since an individual cannot use both installation at the same time.

Moreover, it is a mess when changing machine when replacing it.

Users rightfully abhor complex procedures. If they have a bad experience with your licensing system, they will simply dump your beloved app and run away. Especially if competitors are less cruel.

That’s why I thought of a way to allow multiple instances of a license-file. In an online database I can manage the amount of instances being used.

But yeah, maybe I am thinking too much about securing my app. I know I should use that time to improve the actual app. It’s kind of a wast of time, really. But nevertheless… every minor step to prevent pirating is worth a try, not? And as mentioned before… if one really wants an app, they’ll get it… :confused:
It is a challenge to make make it tough enough to crack, without disturbing the honest user.

[quote=301003:@Edwin van den Akker]Well… what about Adobe, and all those companies. Of course they have lawyers who can handle Lawsuits. Isn’t there another way of making sure a user can obtain their license key if they loose it?
Encrypting the web-service’s database will do, right?[/quote]

[quote=301005:@Tim Parnell]I am not a lawyer.
I would argue that collecting the name and email address is absolutely necessary for registration.
You have to collect the name in the process of collecting the money, so for tax purposes I would think it’s considered necessary. The email address is necessary for communication with the customer, and convenient recovery of license.

In my humble, non-lawyer opinion, I think those two pieces of information are considered absolutely necessary.[/quote]

Well I’m not a lawyer either, but I did study law, EU commercial law in particular…

When it comes to collecting person related data in the EU the big driver is purpose and reasonableness:

  • Clearly you need retain data necessray to meet tax requirements etc…
  • Registration and provision of serial numbers etc…
  • Providing/Confirming updates etc…
  • Charging credit cards
  • Provision of support
    And all the other usual business type stuff.

However when you start using that imformation in an attempt to prevent piracy you enter the dark side. How is it part of a normal business transaction, is there no other techniques available and so on. If a complaint was made to an EU data authority, I suspect you’d have a very hard time arguing that you had no other choice but to do this, espically where the world is full of examples to the contrary.

The best rule of thumb is to collect the minimum about of person related data necessary to do a business transaction, hold it for the minium about of time needed to perform the transaction and meet national reporting requirements such as taxes etc. and then destroy it.

The only informatino you as a developer “need” is their name and a way to communicate (should there be issues etc).
YOU should not collect their CC# (leave that to payment vendors such as Paypal who have the proper legal coverage).

Question… a few of you have mentioned “to meet tax requirements”… do non-US developers have a requirement that we in the US do not? All I have to do is report the amount I collected, and the fees I paid (Paypal etc)… I would think that even VAT would become the responsiblity of the payment vendor, not the developer. I know I have sold many apps to European customers, and VAT never entered my realm of responsibiltiy.

Keep a simple scheme, like what I described. Hackers will break anything anyway. And don’t forget : no such thing in the MAS or the Windows Store anyway.

As for the user wanting your app, you better make every effort to inform the public about it : set up a web site, have an evaluation version, issue a press release, are the strict minimum. Make sure the evaluation version is all over the Internet by requiring the help of such companies as appvisor.com (there are hundreds of repositories).

And don’t have too much illusions about people wanting your app. You’ll be lucky if some buy it. We are very far from the time when there was no apps for Mac. Today, remember, there are over 1.5 Million apps in the MAS and 20 times that existing desktop apps for Windows. You better have a very special app for people to WANT it in such a crowd.

You should indeed do your max for the app to shine.