Jump to content

License an application with expiration date in always offline systems


Recommended Posts

Posted

Hi,

I'm looking to license an application that will run exclusively on offline systems. I came across the "Third Party Licensing & Activation Toolkit API" available through JKI VIPM, but from what I understand, it requires an online activation process, which wouldn't work for my use case.

Are there any other libraries or toolkits you’d recommend? I also checked out Build, License, Track from Studio Bods (link), but I’m not clear on what the free tier offers, or if it's even available.

I realize the irony of asking for a free toolkit to license an application! However, I’m not looking to profit from this. I simply want to protect an application that I need to provide to a potential industrial partner while we finalize our collaboration. Unfortunately, I have to hand over the executable, but I want to ensure the application won’t run indefinitely if the partnership doesn't go through.

Thanks,

Marco.

Posted

My 2c: I guess that the problem with an expiration date on an offline computer is that you have no means for the executable to verify that they didn't set the clock backwards to extend indefinitely their usage.

If you don't expect them to be pro hackers, what about protection by simple obfuscation? E.g. the incremental time the program has run, saved periodically in obfuscated form in an essential key file, masked as "configuration"? With some mechanism to make more complicate to get through just by rewriting an older file in place of it?

 

Posted

I though about the hack to set the back the clock. I don't know, honestly: the application produce data where the real timestamp tagged with the data is very important. If they will change the clock of the system than everthing is compromised. Yes, it will always be possibile to compensate the offset in the log files or in the stream of data.... I don't want to make it pro hacker proof, I simply want to make inconvenient to keep using it and, most importantly, to go to a third party client and distributed the application forever even if our partnership doesn't go thorough.

Regarding your suggested solution: I'm still pushing updates to the application, to solve bugs or add futures. I guess I could put the counter inside the main .ini file, between the entry generated by LabVIEW. Maybe as a second check, just in case they will start to change the system clock...

Right now I was trying to generate a license file (with the expiration date), signed with a private key generated with OpenSSL. Now I'm looking for a way to read it using the public key in LabVIEW.

Marco.

Posted
5 minutes ago, Bruniii said:

I simply want to make inconvenient to keep using it and, most importantly, to go to a third party client and distributed the application forever even if our partnership doesn't go thorough.

A couple of ideas:

  • Include a license file that clearly explains what they can and cannot do (e.g., no distribution, no use without a valid license, 30 day trial period, etc.)
  • Use a hardware dongle to prevent copies (you can just encrypt the executable, which can then only be started when the dongle is present. No programming required.)
  • If the application is not licensed (e.g., during a 30 day trial period
    • Automatically shutdown the application after 30 minutes
    • Limit the number of data points they can collect (e.g., limit file size to 1 Mib or 100k samples)
    • Turn off certain features (e.g., limit the types of reports that can be produced)

Of course, it depends on what value the application represents and how "useful" it is outside your partnership. At some point, however, you will have to trust them enough to not misuse your software outside what is being agreed. If you don't trust them enough to uphold such an agreement, it is probably better not to go into a partnership...

Posted
On 10/19/2024 at 6:15 AM, Michael Aivaliotis said:

Do you have a contract in place with this customer? It sounds like no.

If you DO have a contract, then does the contract allow for time-bombs in delivered software?

We do not have one. We are discussing it...but, unfortunally, we also started collaborating (because we have to...) assuming we will, eventually, and I had to provide the application. The application started as a very basic and incomplete one but in the last weeks it started to became a little bit to "functional and usable" to be honest. Of course, if we will really have a contract I will remove the time-bomb.

On 10/19/2024 at 1:58 PM, ShaunR said:

You want EVP_PKEY_verify

Thanks! I used dotNET Cryptography Library, a package on VIPM.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.