I'm wondering if anyone can offer any advice on the following situation.
I'm developing a system, which will then be installed on peoples own servers. However, i want people to pay a subscription fee for using this system. If they do not pay I want to be able to disable the system externally.
Basically when the system is run it does a call in the background to my server, which checks the license key, if it exists and is active they can use the system as normal.
I've got a basic function that calls my external site (sort of a web service) which checks the key exists. However, anyone with a bit of knowledge could just alter the function so it returns true and bypass the external check.
Any suggestions on the best way to do this, even if it makes it slightly more harder for them to remove.
You will need to encode your code, e.g. with ionCube. However, the customer then needs to set up ionCube on their own server to be able to run the code.
You would usually put the main logic/controllers onto YOUR server.
So it would be more SaaS (Software as a Service).
If that's not possible, you might encrypt (some of) the code on the customers server with keys and certs, so what you sell is a private key to your customer.
Besides that, have a look at Zend Guard.
Related
I have a few PHP Laravel projects (restful API, admin app, client app). There is only one database which is used by API. The project is some kind of app which can be used by some companies. They have access to admin panel, client web page, they can use own API, they can make own users, permissions and so on. There is no problem if this project will be used by one client, but I'm going to sell this app to many people. I will be responsible for updates, hosting, configurations etc. I wonder how to make it the best way and I have a few ideas.
I thought about cloning the app on the server each time someone buys it from me. This requires setting up a new subdomain on the server and a lot of disk space. Not sure about it.
Or maybe cloning the app and sharing some files with symlinks like vendor, node_modules etc.
Another idea is to make it as a one project with many databases for different clients, but how to make it in Laravel in the best way? I will need some dynamic way to change the database connections (I want each client to have separate database), I'm not sure about conflicts with sessions, cache etc.
Maybe separate databases is a wrong idea, and it's better to have one database and make it as a one project and sell the access to project? But then I need to keep data of my client in one database.
What do you think?
Create this application as SaaS (software as a service). You can give them some default templates of front end or even client app (website and admin part), but keep all backend at your servers. Make REST endpoints, authenticate clients and give them functionality that they bought.
For example:
Client A bought calculator services from you. It authenticates, and makes GET call to /api/calculate/subtract/5/1. You give them response what your calculator does, for example 5-1 = 4. They can use your prepared templates for this data preview or create their own.
Client B bought calculator and storage services from you. You calculate same value, give it back, but also store it in your own database. So client B also can make call GET /api/storage/last_calculation and you give them 4, because client data stored in your database, he bought storage service too so he do not need to setup database for himself.
It is very simple example, but you should get the point.
For example simple scheme with separate database for each client:
I'm developing a system (o rly?!), a regular system. This system maybe considered normal: CRUD's are all over the place. BUT, I also need to access his data as a web service. I'm developing both: the system and the web service, using Laravel 4.
I have controllers, of course, for all the CRUDs on the system so an user can be able to put information on the database. Pretty simply stuff...so far!
As I said: I need to consume data on a web-service format. I need to make request and record data to the server throught a JSON string and REST verbs. That being said, here comes the question:
Should I create a whole new project to access the data as a web service and separate it from the original project (cruds) or this is just a stupid idea of mine?
I think this might help on the security and on the cohesion on both projects.
Any answer is welcome ans thanks in advance! =D
If you are a coder who can easily organise an additional layer into your current app, to create the web-service layer, then do it.
If (like me, and probably most others) you'll just get swamped in a mess of files and folders, and end up changing code which impacts your already existing app - stay well clear! Write a new web-service app!
Separate the concerns, and sleep happy at night that both animals are caged up separately so they can't kill each other.
Although...you are using laravel. So you can actually create separation quite nicely in one app by using packages (were called bundles in L3). You still might run into the risk that you mess up some code of your current app, but if you are strict with yourself, you should be ok.
One question I'd ask yourself is why not just have the app ONLY be a web service, and create clients that meet any needs you want? It does seem odd to have an app being used as a web server and also as a web service. You may run into all sorts of performance problems if you try to do both in the same app.
UPDATE:
For a definitive answer on if you are doing this the right way: I say no, you aren't doing it the right way. Create a web service from your app, and ONLY allow it to be a web service. Then create client apps (web service consumers) to meet any needs you have for displaying the data.
I want to divide my web application into two parts.
One part is free, like a demo for people to use.
The other part is not; a extension that is paid for but requires authorization and a license to use.
My idea is to sell the extension without having it being compromised. Once the extension is sold, the buyer can't upload it to some other site and make it "free" for other people to use. Thus the extension would check a database from another domain to authorize the use of its script.
How can I achieve this?
Give the free script away for users to run on their own site. Run the licensed non-free script only on your server and hook them together using an API over HTTP.
Use a professional solution like Zend Guard.
I need some guidance around how to develop the app I'm working on.
It's basically a backend system to manage photos and slideshows (eg arrange photos in albums, decide which ones to publish, update names and captions etc)
I would like to avoid giving the source code to clients but would like to keep the actual photos and thumbnails on the client's server.
I'm not sure what would be the best way to achieve this. In my mind the steps are:
a) client uploads a photo to MY site
b) photo is registered into my DB
c) the original photo is moved to client's server
d) thumbnails are generated and saved on client's server
then the public site:
e) install the public website on my client's server;
f) when a user is browsing the client's website, the script gets the list of images to show from my database, and gets them from the local server.
(hope I made myself clear)
basically the question is: what's the best way to give the client minimal/no access to the source code?
I agree with benjy, however, you can get away with using an API to manage the system specific calls, and just have an upload handler that communicates back to your API on the clints box, so they still have some code, it is minimal, and the code requires an API call to function. That way you reduce the DB need, and reduce the resources required to manage the clients code.
API is used to authenticate / manage communication while the upload / manage scripts handle the upload/image handling.
IMO, this seems a little unnecessary. What exactly is your concern about having the source code rest on a client's server? All you need is a signed license agreement between you and the client preventing them from doing anything with it.
Or, if you really don't trust them, just sell it as hosted software. No point in the above procedure, which is rather convoluted (no offense), when you can just have everything on one server.
Just my $.02.
You can obfuscate the code with a commercial tool like IonCubelink text, or you can develop your application and license it using a SaaS model, and provide an API for the client software to use.
Zend Guard, SourceGuardian, IonCube, and similar are other viable options if you cannot keep it local but want to make it difficult to find out what the "source" is.
I am about to deliver an Adobe AIR app to a customer.
But it's my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.
Users of this app may or may not be online, so
can't count on that. In fact it's 99% sure that
they will be offline.
Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to "crack" it.
So, is there an okeish type of way to protect this
app. That is, I don't want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.
Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.
protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.
If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.
If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it's shared-hosting friendly.
You can not protect anything that's webbased or javascript based, purely because there is complete sourcecode.
Anyone who knows how to use 'right click' could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn't be possible, write a desktop app in a 'real' programming language.
When the app installs, I would do the following:
Create a file in "app-storage" that basically indicates the app has been installed.
Fire off a service call and make a record of the install
Change a file in the app directory to indicate the app has been installed
On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in "app-storage" could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.
In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an "ironclad" approach probably isn't even the best idea.
I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).
From what you're saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.