2
I need to make a code for license to use, for example:
My customers pay monthly for use of our system, but these customers have the application installed locally in their companies.
I need it validated each month if the customer has paid the monthly fee and thus releasing another month of access. This check I believe is via Webservice.
Is there any Gem or any way to do this?
5
Regardless of the language or platform, locally installed programs with a license for use can never have complete security against misuse. This even applies to extremely complex software written in machine language (see Windows).
From my point of view, the whole security issue can be summed up in making the copy difficult enough to make it worthless.
In the case of dynamic languages such as Ruby, this can be done by obfuscating the code of some classes to prevent a mere "maintainer" from locating a single line of code and "hacking" the program.
From this reasoning, it is possible to establish a series of strategies, whose effectiveness will depend on the commitment, knowledge and even luck of some possible "pirate".
What criteria is used for your program to know if it is original?
Calling a web service is a way out, but it can be very trivial. Someone with no knowledge of Ruby can monitor the network using a "Network Monitor" and create a fake service to simulate the return of success.
I don’t have a definitive answer for this, but an interesting way out would be to establish an algorithm that generates codes based on the current date (month). Without entering a code each month the program stops working.
The program would not generate the code, but would recover it from the Web Service. This prevents the user from reusing the license from previous months.
Do not check license validity only on program startup. One time a colleague circumvented the 30-day test of a program by making a simple .bat that:
Also, this will make life difficult if a possible "hacker". At first it can bypass the boot class and will be satisfied. But once you open the first screen of the program, it will see another point where the license is checked.
If the limitation is applied to several important points of the system, at least it will lower the mood of the attacker.
Nothing is easier than locating content in plain text and in organized directories.
An important step to avoid "breaking" the system by laypeople is not to leave obvious where the license is stored or verified.
We all know that obscurity security in general is not good. But in that case, make it take a greater effort to do so, make it necessary to know about various technologies to find out how your licensing system works.
For example, encrypt files locally using symmetric key and keeping the password hard-coded There’s not much security in the program. But it gives enough security so that a curious can not see the information and it is necessary to search the entire program to find this password.
Other than that, there are some tools that obfuscate the code in some intermediate format. For Ruby, I found only the rubyencoder. Basically it encrypts your sources and then uses a native C extension to decode and load the code at runtime.
Something problematic in dynamic languages, especially when they use metaprogramming is that obfuscate certain code snippets break the program, as it depends on the name of the parameters, attributes and classes. Therefore, I suggest obfuscating only utility classes related to licensing and not the main classes of the system.
Another measure to prevent piracy is not to distribute full versions for demo and not to distribute the code of features for which a certain client has not hired.
If you build a modular system, it will prevent someone from unnecessarily obtaining the complete code to then copy and pass it on to others.
Your program can check the license with some frequency using the Web Service, for example, every week.
Check Ips and number of calls to find signs of unauthorized copies of the program.
Don’t forget to put all licensing, web service access and monitoring information into a contract.
Do not do this in a hidden way, otherwise some client may sue you for invasion of privacy or something like that.
Browser other questions tagged ruby-on-rails authentication license
You are not signed in. Login or sign up in order to post.
"These customers have the application installed locally in their companies." You can do a periodic validation with Web Service. But if I had to pay for an offline system, I would refuse any contract that required monthly fees just to use #Justsaying.
– Oralista de Sistemas
@Renan, our system is online and has its own server. But it is a requirement of some large clients that everything be on their intranet for the sake of data security. And also if there is a problem on the Internet the company does not stop working, in which for some customers can generate millions in losses.
– Bmucelini
From experience (I’ve worked and still work with this type of solution), this is the kind of thing you solve more easily with lawyers and subscriptions more easily than with code.
– Oralista de Sistemas