Login/Register
How to prevent usage of expired license through system clock tampering? [closed]
Asked Answered
javalicensingntpsystemtime
S

5

18

I am currently working on a license manager using java, I will be specifying a start and end date for my application so I can force a licensed user to re-license the program after a certain amount of time.

But the problem I am facing is that any one can roll-back their system date and time in order to maintain the validity of license. Is there any way in Java to detect the system date and time is changed. I have already tried Network Time Protocol to get the current date and time from a time server.

Subsistent answered 13/6, 2011 at 8:15 Comment(1)
No DRM is truly going to protect you from pirates. I'd rather spend my energy on less futile things.Avionics
S
8

You likely are storing a license file on the system. a) include the time that the software was registered in the license file, b) digitally sign the file.

The digital signature will tell you if the license file was tampered with. If not, the time will tell you when the software was registered; if the "current time" is less than the registered time, your license manager knows something funny is going on and it can respond according (refuse to run, delete the license, ...

If you really want to enforce the date range, write the current time on each program execution to a separate digitially signed file, verifying that time always goes monotonically up.

You can also check your last recorded time against any files your application writes-then-reads. Such a file with a date later than your last recorded time indicates some kind license-file rollback.

These wont stop the user from setting the clock back some, but it will make it pretty hard for him to do this in an organized way.

Sorensen answered 13/6, 2011 at 8:51 Comment(2)
But if program is shutdown then how it will keep track of date or insert date in specific file.Reside
Why does it have to? It writes the license file once when the program is installed. It doesn't change the license file after that. (If the user tampers with or deletes the license file, the software quits working, so he won't do that if he is smart).Sorensen
E
6

It is basically impossible to do anything about. A user could "restore" his entire computer so that the software thinks its running at any particular date.

You could make it harder by letting the program ask some time-server for the time. (Still though, if someone really wanted to use an old license he could reroute any such traffic to a local time server.)

Related questions / answers:

Emboly answered 13/6, 2011 at 8:18 Comment(2)
i have already tried the NTP,what if the user firewall blocks from accessing the time serverSubsistent
With no connectivity to the internet, I don't believe there is any perfect solution. Think of it like this: If the user controls the clock of the computer and all input/output you can't really tell the difference between yesterday and today. What if the user sets back the clock, restores the harddrive image from yesterday and replicates all input/output as if it was seen the day before.Emboly
C
4

As @aioobe said, applications have no control over the environment in which they are running.

What you can do (if your program also maintains data that is important to your users) is to record what it knows about the date/time and the passing of time. For instance you can store the current time at a regular interval after checking that it did not rollback (when a rollback is detected, output a message with an encrypted code to pass on to you for relicensing so you know that that happened).

You can also keep a "counter" that is incremented every hour your program runs giving you another way to estimate the usage of your license.

Using all three your license would run out after a year, a rollback or x hours runtime.

Christiachristian answered 13/6, 2011 at 8:39 Comment(7)
But even this method, to crack all you need to do is to figure out where that info is stored, copy it after a fresh install, and paste it over the 'updated' info every once in a while.Avionics
.. or just restore the entire partition to a previous state through any backup software.Emboly
@aiobe That's a bit of an overkill. :PAvionics
@aioobe, That's why I said "if your program also maintains data that is important to your users". If the application is stateless a system restore gets it going again. If the application is statefull a restore can/will undo your own work which is unwanted. So mix your license data in with the customers' data.Christiachristian
@rsp: "(when a rollback is detected, output a message with an encrypted code to pass on to you .." OK, so I'm using this software on my notebook deep in the arctic circle (with no 'WiFi' access) & change the clock to see "Please contact complete bstard for a new license - software locked!"? Why did this answer get 4 up-votes? It is more *evil than a dongle. :-(Termless
@Paul, not if the program is obfuscated and encrypts the counter state and merges it in same application dependent file in some nasty way.Emboly
@Andrew, any rollback check should allow for some clock adjustments of course. Depending on the impact of locking, you could define a grace period during which an unlock key could be provided by telephone.Christiachristian
S
4

You have a couple of scenarios to combat:

  1. The user who turns back their system clock before they install your product, and
  2. The user who rolls back their system clock after it has been installed.

There are several levels of security you can apply, and if this is a major concern then you may want to use all of them.

The most secure is to check the time against an external reference e.g. your server. If there is no network access, you can then use the local methods described above, of using local (hidden) files to keep track of the time on the system, so you can detect rollback. By using more than one such file in more than one location, and having them cross-check each other, you can make this arbitrarily hard to rollback without detection (and you can always keep periodically trying to connect to the external server).

Salade answered 14/6, 2011 at 0:6 Comment(0)
A
-2

Code your app to send you emails with user's session use and check arrival times. Automate the email monitoring! Otherwise you yill become a slave of your success.

Jorge

Alicea answered 27/2, 2015 at 4:15 Comment(1)
If I found out an app was sending out emails without my authorisation, I'd not only uninstall it, I might very well send some nasty emails of my own to complain about it.Flatt

© 2022 - 2025 — McMap. All rights reserved.