Secure software licensing with Python

Asked 29/5, 2019 at 12:24 Answered 18/7, 2024 at 14:24

I am looking to sell some software that I have written in Python. My interface allows the user to submit their license key and save it locally. The program revolves around one button in the interface which runs the program. My idea was to create a HTTPS API (probably using Flask since I know how to use it) on an AWS EC2 server. Then, whenever the user clicks the button to run the server, the program retrieves their locally stored license key and makes a GET request to the server. The server then checks for the existence of that key in the database, and if it exists then it returns True, otherwise it returns False. Then the local program will run the program if True is returned, otherwise it will tell the user that their key is invalid.

I am aware that this is not particularly secure. The main reason I see is that with Python, the user can just go into my .py file and set the boolean to always be True, or just remove the check entirely. And so, I thought I might be able to combat that by using py2exe, although unpy2exe exists. pyarmor also seems like an option, but I think some tools might exist to crack it such as this one.

Even if I am able to prevent the user from accessing the code, is it not possible for them to change the response from the server and change it to True? Even if it is HTTPS?

I also have the issue that I would only like the user to be able to use my program on one computer at a time. I thought of storing their MAC address, but I know that can be easily spoofed, so I'm not really sure how to go about implementing that.

Some might say that this is going overboard, and if someone wants to crack my software then they will do so. However, this program will be quite expensive and will be sold into a market in which cracking is quite common. Therefore, I would really like to do my best to make it as difficult as possible.

So, does anyone know how I could create a secure licensing system for my program? At least just a general outline would be extremely helpful.

Thanks.

EDIT: With regards to securely generating license keys, how is something like this if I make sure it doesn't already exist?

from base64 import b64encode
from os import urandom

random_bytes = urandom(32)
license = b64encode(random_bytes).decode('utf-8')

EDIT2: Surely there must be some sort of industry standard for licensing software, regardless of whether or not it is coded in Python? How do they do it?

Quench answered 29/5, 2019 at 12:24 Comment(12)

Is it an option to only have an interface on the client machine, and have the engine on the server? That would be much more secure... – Crud 29/5, 2019 at 12:29

Commercial software has been cracked since time immemorial, by big vendors, who devote a lot of time and money to try to make their software as difficult to crack as possible. It's an endless cat and mouse game. I don't think you'll get the answer to this conundrum from Stack Overflow. — Generally speaking, if any part of this software would be required to run on your server, that would be the only way to give you control of this situation at all. – Celebration 29/5, 2019 at 12:30

@SergeBallesta Unfortunately not – Quench 29/5, 2019 at 12:30

@Celebration I'm aware, but that doesn't mean there's no point in trying, like I said in my post... – Quench 29/5, 2019 at 12:31

Then you cannot hope better than obfuscation. But IMHO, if the program is both expensive and likely to be cracked, Python on a local machine is a wrong design option. – Crud 29/5, 2019 at 12:34

@SergeBallesta I think you are wrong. I can definitely use a better system, such as private/public keys which will not make it impossible to crack, but will make it much more difficult. I just don't know how to implement that in practice. There are other companies in the market who have not seen their software cracked, despite lots of people trying, so it is clearly a good idea to do it. – Quench 29/5, 2019 at 12:35

Things that come to mind: 1) Compile to binary in some way or another. 2) Sign the executable in some way, ensure in some way that the executable can verify itself against modification in some way. (Big question mark here.) 3) Use a hardcoded certificate to check against when making your server request, to prevent interception of the network request. 4) Require some check data to be sent with the license key (checksum of the executable or whatnot). — The success of all that very much lies in the implementation details, and you're on your own with that one… – Celebration 29/5, 2019 at 12:41

@FJ: I think that you hope me to be wrong ;-). This has been discussed on Information Security, and the conclusion has always been that when control is done client side only obfuscation is possible. You can of course encrypt some essential data, and only store the decryption key on the server to prevent off line cracking and even only send it through HTTPS to prevent direct network spying. But at a moment the whole will be accessible from the client machine, and from that point, you will be vulnerable – Crud 29/5, 2019 at 12:43

@SergeBallesta You're not listening to what I am saying. I know that nothing is 100% secure, but I want to do it in the most secure way possible. Like I have said, other companies in the market have successfully gone un-cracked. I just want to know what the industry standard method is... – Quench 29/5, 2019 at 12:44

I have listened. And I still think that Python is not the best tool for that. More seriously, I am afraid that a large part of the SO community in not very proficient in obfuscation thechnics. As far as I am concerned I just believe that it is not worth it, and I have never used nor studied them. It is probably not far from what deceze meant when saying I don't think you'll get the answer to this conundrum from Stack Overflow. I do not say that you should not try. I do not even have to say that it cannot be 100% secure because you already know it... – Crud 29/5, 2019 at 12:51

... I just say that I cannot help you on that way, and I really think that most from SO community cannot either. Good obfuscation is like good security and much lies in implementation details. Good luck anyway... – Crud 29/5, 2019 at 12:54

Quasi-duplicate of #2642759, whose accepted answer gives some pointers with the appropriate amount of conditionals. – Moyna 29/5, 2019 at 13:52

If I've understood your problem statement correctly, it all boils down to this:

Subscription and License Renewal Issue, and
Single-User License Key

After reading through your intial attempts, I can comment that you were able to swing your bat, but ultimately these methods were all emasculate.

Although I can share a few tricks up my sleeves to address the aforementioned issues, I would rather suggest that you use a third-party vendor, who are already in the licensing business and have a reputation in the game.

NetLicensing happens to be one such cost effective solution that certainly fits the bill.

For objective #1, they offer a subscription licensing model which reflects a typical subscription scenario, where the use is permitted for a certain period of calendar time and can be extended on demand and their state-of-the-art security helps you to avoid all such cracks and hacks possible (as mentioned in the post).

They also provide a solution called 'Node-Locked', which could be used to work on objective #2 where CPU serial number verification is used to enforce this type of license.

To conclude, I'd say you could always use home-cooked remedies to implement software licensing, but if your product is really worth the market and you intent to avoid piracy and restrict unauthorized usage, let the professionals take care of your business, while you focus on the product development and its distribution.

Fransis answered 9/8, 2019 at 19:30 Comment(0)

I wrote an answer in a similar thread that I think may be useful: https://mcmap.net/q/49814/-how-to-generate-and-validate-a-software-license-key

Essentially, there are two parts that need to be addressed: an obfuscation system that makes it more difficult for an adversary to reverse engineer the code, and a licensing system, which will verify that only customers who have paid have access.

The licensing system could be set up as follows: a short random string is used as a license key that is stored in a database on the server. When your application calls your endpoint using the license key, it can check whether the key exists or not and return a response. To make it work offline, you can return an object that contains all information such as expiry date, features etc, that is signed by servers private key. The application can later fallback on this object (which can be a simple JSON formatted string) and verify it using the public key stored in your application.

If would prefer not to develop and maintain it yourself, I would suggest checking out Cryptolens, where I'm one of the developers, that offers a Python SDK that can be used for the licensing part: https://github.com/Cryptolens/cryptolens-python.

Please let me know if you have any questions.

Wonderstricken answered 18/7, 2024 at 14:24 Comment(0)

Recommended topics

Hot tags