During the past weeks, I developed and published a small OS X utility app that sells for ~$3 in the Mac App Store. However, due do French export laws for apps that include encryption mechanisms, the app is not available in the French app store. (It ships and uses libssh2 and implements SCP over SSH, and therefor does not use "encryption mechanisms that are provided by the operating system" - the registration process for that is all in French and neither Apple nor the French government seems to be able to help with that.)
As I got a bunch of emails asking why the app is not available in the French Mac App Store by now, I thought about offering a non-MAS version of the app. Coming to my initial question, I'm not sure if I want to spend time on implementing any kind of license key check etc., or just offer that version completely without DRM / license checks as it surely will be cracked either way. (The Mac App Store version is available as a torrent for quite some time now, so whoever wants to steal the app will do no matter what I finally do.)
So, I'd like to ask you guys how you handle this, or how you would handle this if you were in my situation? Spend time on implementing a license key check that will be cracked either way, or just offer a non-DRM version that'll sell in France to make everyone happy?
Thanks.
Disclaimer: Original thread from HN (https://news.ycombinator.com/item?id=7796397)
Update to finish this up:
I finally decided to implement a license validation for the Mac App Store version that is very hassle-free for the user. In the best case, he doesn't even notice this, in the worst case (where no receipt is found within the app bundle) the app will trigger the storeagent to download the receipt and then successfully relaunch. Pretty simple.
For the non-Mac App Store version (which I've introduced because of the French App Store issue explained above) I stick with a 3rd-party contractor who handles all the licensing for me.
I guess this way is a good tradeoff between security and positive user experience. Thanks for your input.
In my experience, if you are going to sell the software, you should consider a very lightweight license checker. As you pointed out, people will break your DRM if they are sufficiently motivated, so you can't hope to prevent intentional piracy. However, having a simple system that reminds users who download the software online that they should pay for it (and if it makes sense providing a basic trial system) is a reasonable approach.
However, don't spend too much time implementing the system, and make sure you thoroughly test the key system before every release, because trying to explain to users that you accidentally made it impossible for them to use the software that they have paid for is something you never want to do.
Bigger than the question of whether it's going to be hacked is whether the overhead of managing the licensing will overwhelm the profit. For example, I've seen people with very inexpensive apps basically have a checkbox for users who bought the app in order to turn off the reminders in trial versions. Very shareware-like, but considering the cost and potential review hassle of a problem with licensing, it might be worth considering that approach.
If you want to put in a bit more effort, there are a couple of open source libraries, including Aquatic Prime that provide more sophisticated protection , but require integration with whatever type of online store you are using. Since it's reasonably widely used in the community, store systems like FastSpring provide built-in integration with it. Also, it looks like the open-source Potion Store supports it out of the box. I've not used it personally.
Beyond that, my experience is that they are a large pain to create/debug/support and unless your app is expensive enough to require special features like partial-enabling, expiring licenses, region testing, real-time revocation, etc., it is likely not worth the effort to do anything custom.