I am about to deliver an Adobe AIR app to a customer.
But it's my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.
Users of this app may or may not be online, so
can't count on that. In fact it's 99% sure that
they will be offline.
Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to "crack" it.
So, is there an okeish type of way to protect this
app. That is, I don't want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.
Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.
protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.
If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.
If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it's shared-hosting friendly.
You can not protect anything that's webbased or javascript based, purely because there is complete sourcecode.
Anyone who knows how to use 'right click' could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn't be possible, write a desktop app in a 'real' programming language.
When the app installs, I would do the following:
Create a file in "app-storage" that basically indicates the app has been installed.
Fire off a service call and make a record of the install
Change a file in the app directory to indicate the app has been installed
On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in "app-storage" could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.
In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an "ironclad" approach probably isn't even the best idea.
I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).
From what you're saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.
Related
Long time reader first time asker, if my question is silly or missing info or miss titled lemme know and I'll fix it.
Okay, so I'm working at a community center for the next 8 weeks as a tech help assistant, I'm also a CS student.
They have a web application that is quite old running locally on an iis server (version 7). It's for keeping track of their members, events and registration It's written in asp.net and is using and Access database. They also have a wordpress website (php, mysql, apache) for advertising events and sharing information about what's going on in the community.
What they would like is to link their wordpress to the local application. I've been racking my brain about if this is even possible or not. I'm leaning towards not possible because the local application and shouldn't be outward facing as it has sensitive data on it and was not designed to be secure in the face of would-be hackers.
The only solution that I could think of is create a "walled off" section of the computer hosting the local application. Also an outward facing port that accepts incoming data from the wordpress site that is then passed onto the access database as an update (increasing a counter for the amount of people registered to a program). It needs to be possible for a file to have some kind of global (from the web) executable permissions and have all the other files on the localhost computer locked down from this global permission.
We would also need to be able to get 2 boolean values from the local app for the wordpress site. This is for if the program/camp/whatever is full and if the update was unsuccessful in the event of something going wrong. I'm just not sure if something like that is even possible and where to start with that. The most important thing is that it's secure.
If a secure API could work I have time to create something like that.
I don't have enough time to upgrade their local system to make it safe enough to be online because I have to run tech help sessions. I know that is the most realistic option.
Thanks very much
What they would like is to link their wordpress to the local
application. I've been racking my brain about if this is even possible
or not. I'm leaning towards not possible because the local application
and shouldn't be outward facing as it has sensitive data on it and was
not designed to be secure in the face of would-be hackers.
I think you've hit the nail on the head right there. It looks like you have a decent understanding of the situation but not of their internal app. The fact is that it's hard to scope something like this without getting in and getting details. Step 1 would be to see if you can talk to whoever it is that built the thing and get their feedback. It might be secure enough to expose some sort of connection.
Really there's not enough information here to determine a good answer, and you should be wary of anyone that says it's secure. There are a ton of factors that go into web security.
You might be able to throw together a basic RESTful API with authentication to send only to the wordpress site's IP. But if it's sharing the IP that information can be consumed by third parties so you'll have to decide if that is an okay risk.
I wouldn't try and expose everything and partition with apache. A basic RESTful API with authentication would be best at first glance IMO. That way you only show consumable data and limit what can be used.
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
I'm wondering if anyone can offer any advice on the following situation.
I'm developing a system, which will then be installed on peoples own servers. However, i want people to pay a subscription fee for using this system. If they do not pay I want to be able to disable the system externally.
Basically when the system is run it does a call in the background to my server, which checks the license key, if it exists and is active they can use the system as normal.
I've got a basic function that calls my external site (sort of a web service) which checks the key exists. However, anyone with a bit of knowledge could just alter the function so it returns true and bypass the external check.
Any suggestions on the best way to do this, even if it makes it slightly more harder for them to remove.
You will need to encode your code, e.g. with ionCube. However, the customer then needs to set up ionCube on their own server to be able to run the code.
You would usually put the main logic/controllers onto YOUR server.
So it would be more SaaS (Software as a Service).
If that's not possible, you might encrypt (some of) the code on the customers server with keys and certs, so what you sell is a private key to your customer.
Besides that, have a look at Zend Guard.
I recently built a web application for my company, and now they want it to support an offline mode. To complicate things, my company is very concerned about security and does not want me to use Xampp or Mamp. The application handles sensitive data and they think these programs will somehow make the data visible to the outside world (although I'm entirely sure this would be the case).
Anyways, I'm looking for a way to allow my application to run offline, and to also support the following technologies: PHP, MySQL, jQuery. The most difficult part of this is I need to execute PHP code outside of the typical server environment.
Can anyone please give me some advice on how I could implement such a system, and any associated vulnerabilities that I may face in terms of security and data storage?
Assuming you're installing this for an individual user on their machine - your best bet is to install apache/php/mysql, and configure apache to reject connections from any remote IP address.
The environment should be basically identical to your current application, but with only 1 user in the system.
There are some strange points in your question
now they want it to support an offline mode
Well, that's easy enough - get familiar with html5's offline features
To complicate things, my company is very concerned about security and does not want me to use Xampp or Mamp
Have you deployed your web app on a desktop machine? Or do you mean you are forbidden to use a webserver?? Xampp/Mamp are development tools - your public facing applications should be on a machine configured specifically for that purpose with a webserver running apache/nginx/iis/PHP5.4-builtin/whatever you like.
The most difficult part of this is I need to execute PHP code outside of the typical server environment.
How is your environment none-typical? Mike mentions php-gtk - but IMO you shouldn't go down that route unless you're requirements are "desktop app" + "absolutely must be written in php" - which is unclear from your question.
any associated vulnerabilities that I may face in terms of security and data storage
Well, anything you put in local-storage on a client (browser) the user can access - just bear that in mind. Don't send sensitive data to what is, from your perspective, an insecure and pseudo-public location i.e. some user's browser cache.
If you want to run html/javascript, you will probably need to run this in a server/client environment because a browser isn't capable of running the php and the php app as a stand alone app needs something to parse the html/css/javascript ( it needs the browser for it's presentation view ).
Best course of action is to put the application onto a server that you control access to. Set the access controls to specific IP addresses only, or even better if you can run it off an intranet behind a firewall where no one outside the network would be able to get to it.
PHP can run on a desktop environment, but they key here is that it won't run the javascript/html you use to display. You could use php with a third party library like php-gtk to make a desktop app that doesn't need a server or browser, but php-gtk doesn't have the best support.
If the application needs to store data for other computers/users to access, then it needs to be on a network. If it doesn't need to do this you might consider using a different programming language geared toward desktop applications so you can keep it entirely offline ( such a java or .NET ).
I need some guidance around how to develop the app I'm working on.
It's basically a backend system to manage photos and slideshows (eg arrange photos in albums, decide which ones to publish, update names and captions etc)
I would like to avoid giving the source code to clients but would like to keep the actual photos and thumbnails on the client's server.
I'm not sure what would be the best way to achieve this. In my mind the steps are:
a) client uploads a photo to MY site
b) photo is registered into my DB
c) the original photo is moved to client's server
d) thumbnails are generated and saved on client's server
then the public site:
e) install the public website on my client's server;
f) when a user is browsing the client's website, the script gets the list of images to show from my database, and gets them from the local server.
(hope I made myself clear)
basically the question is: what's the best way to give the client minimal/no access to the source code?
I agree with benjy, however, you can get away with using an API to manage the system specific calls, and just have an upload handler that communicates back to your API on the clints box, so they still have some code, it is minimal, and the code requires an API call to function. That way you reduce the DB need, and reduce the resources required to manage the clients code.
API is used to authenticate / manage communication while the upload / manage scripts handle the upload/image handling.
IMO, this seems a little unnecessary. What exactly is your concern about having the source code rest on a client's server? All you need is a signed license agreement between you and the client preventing them from doing anything with it.
Or, if you really don't trust them, just sell it as hosted software. No point in the above procedure, which is rather convoluted (no offense), when you can just have everything on one server.
Just my $.02.
You can obfuscate the code with a commercial tool like IonCubelink text, or you can develop your application and license it using a SaaS model, and provide an API for the client software to use.
Zend Guard, SourceGuardian, IonCube, and similar are other viable options if you cannot keep it local but want to make it difficult to find out what the "source" is.