Does this make decompilation / cracking more difficult?
I am currently developing a commercial Java application where I am working hard to protect it from being hacked.
I have a couple of thoughts that I wish someone more experienced in this area could help me clean them up.
I am protecting my software with a server / client licensing system.
Simple explanation of how the License works:
- The user buys software online and receives email using a Hust license.
- User downloads software and enters the license hash specified in the email
- The software checks online if the license is in use before, if not, mark it in use and link the user's hardware to it in the database. The next time the user logs in, the server checks its HWID for the granted License, if it does not allow the user to be disconnected from the software.
- After successful authentication, the software loads and loads the variables from the server, without which the software cannot function.
- My software constantly checks the server for variables (step 4) and never loads them right away.
Communication between server / client is done using a secure SSL REST API.
My software is Obfuscated / protected with Proguard .
Is this method good enough as a protection against hacking if you could provide additional tips to make this method better?
Many thanks.
source to share
The only 100% safe way to prevent hacking is to move all business logic to the cloud. If the application is running on a client computer, it can be compromised. The only question is that your software is interesting enough for hackers to spend time with.
It looks like you are already using an obfuscator, moved some data to the cloud and got it on demand. I would say that you are already protected from first-level hackers and some "IT Pros". I would not have spent more effort on it, if higher level "hackers" wanted to hack them, they will. Regardless of which encryption you use, the keys (and the algorithm used as well) will be in your application memory, so they can be obtained.
Modern DRM tools work by stripping important pieces of code (not just variables) from the released binaries and retrieving them on demand from the server. They try to provide such break code that will only execute on a specific client machine (for example, by compiling code for all different processors on the market so that the code doesn't work on other models), so collecting all the missing pieces for all possible hardware is not practical ( or at least takes a long time). But this is difficult to achieve with Java.
One more thing you should consider: change the licensing algorithm with each version and update frequently. This way, real customers get new features and fixes without problems, but people using the cracked versions must either look for new cracks every time or stick with older versions. In the end, some of them may decide to buy software to avoid the inconvenience.
source to share