Search code examples
javadecompilingcracking

Does this make Decompiling/Cracking harder?

I'm currently developing a commercial Java application, where I'm doing my best to protect it against cracking.

I have couple of thoughts that I wish someone a bit more experienced in the field could help me clearing them.

I'm protecting my software with a Server/Client License System.

Simple explanation of how the License works:

  1. User purchase the software online, and get emailed with hist License Hash.
  2. User download the software, and enters the License Hash provided in the email
  3. Software checks online if the license is used before, if not, mark it as used and link the User's HardwareID to it in the database. Next time user login, the server checks his HWID to the provided License, if not valid kick the user out of the software.
  4. After successfully authenticating, the software downloads and load variables from the server that the software cannot run without.
  5. My software constantly checks the server for variables (step 4) and never loads them all at once.

Communication between Server/Client is made using a secured SSL REST API.

My software is Obfuscated/protected using Proguard.

Is this method good enough as a protection against cracking, if not could you provide some extra tips to make this method better ?

Thanks a lot.

Solution

  • The only 100% proof way against crack is to move the whole business logic to the cloud. If the application is running on the client's computer then it can be cracked. The only question is if your software is interesting enough that hackers will spend time with it.

    It sounds like you already use an obfuscator, moved some of the data to the cloud and are obtaining it on-demand. I would say you are already protected against entry level hackers and some "IT specialists". I wouldn't spend more effort on it, if higher level "hackers" want to crack it, they will. No matter what encryption you use, the keys (and the used algorithm as well) will be in your application's memory, so those can be obtained.

    Modern DRM tools work by stripping important parts of code (not just variables) from the released binaries, and obtaining them on demand from a server. They try to provide such code for the gaps that will only run on the machine of the specific customer (for example by compiling the code for every different processors on the market, making sure that the code won't run on other models), so collecting all the missing parts for every possible hardware is impractical (or at least takes a long time). But this is hard to achieve using Java.

    One more thing you should consider: change the licensing algorithm with every release, and do frequent updates. This way real customers get the new features and bugfixes seamlessly, but people using cracked versions will either have to search for new cracks every time or stuck to the older versions. Eventually some of them may decide to buy the software just to avoid inconvenience.