Securing .NET applications – Code Security and Trial Versions
Well, I just finished work on developing a new product. It is a Windows application. And the deployment part took much more time than we had estimated. Deployment is a different kind of programming altogether. People use different kinds of technologies for deployment, but we used .NET. Here I just summarize some of the issues we ran into before we could proudly say that the product is now available for people to use.
Protection from decompilation: .NET applications decompile very easily. People mostly use .NET Reflector for that. If you send out your code without securing it, anybody can read the code. To secure an application most people use “Code Obfuscation”. Code Obfuscation changes class and variable names to trivial names. So code that looks like
class Menu
{
public bool NewProject()
{
//Open New Project Dialog Box
NewProjectDialog NewProjectDialogObj = new NewProjectDialog();
NewProjectDialogObj.ShowDialog();
}
}
may become
class A
{
public bool B() //For creating a new Project
{
//Open New Project Dialog Box
C D = new C ();
D.ShowDialog();
}
}
This means that anybody who is trying to reverse engineer your code cannot understand it, but he can still use the code as it is. Another way to do it is by preventing any kind for decompiling of your .NET assemblies. You can do that by various tools. Most decompilers use the CLI header to get back the source code. Removing the CLI header makes decompiling so much more difficult. Many commercial products are available for this purpose. I haven’t used all of them as are not free! Some of them are
And .NET Reactor
Limited Time Trial Version Security: In case you want distribute a limited time version of your application for evaluation; the critical task is to prevent it from running after the trail period has expired. To do this you can use the above applications. .NET Reactor has excellent support for making limited time trial versions. Or you can pretty much write your own code to do the same. You can do some of these:
Place N number of flags in the computer about
- Installed Flag (IF) – This can be used to prevent a fresh installation your demo software if this flag is present. Hence the hacker can’t make multiple installations of the same software.
- Install date (ID)- This will give the information of the installed date.
- Expiry Date (ED) – This gives information of expiry date.
- Last Access date (LAD) – The date on which the program s last accessed. If the user is trying to meddle with system date in order to run it for ever, you could probably use this flag to catch him.
Here is one of the ways you could use the flags
- During installation set IF = true, ID = LAD = System Date, ED = ID + Trial Duration
- During Load check
- If Decryption of flags fails, user is hacker
- If System Date < ED then continue else Trial Period expired, exit
- If LAD > System date or LAD< ID or LAD>ED The person is a hacker. Else if everything is fine, LAD = System Date and continue
- During exit LAD = System date
In reality you can use just one flag to act as ID, ED and IF. But the more flags you use it will be so much more difficult for the hacker to break into your installation. In fact you could use more than one flag for ID, ED and IF individually all having the same values but encrypted differently. You could put these values in the Registry or somewhere else in the file system. That is really left to you. Remember to encrypt thee values before you put them on the system. If the encryption is broken, you’ll probably know that you are dealing with a hacker. So you can either break your installation or do whatever you choose.
There are also other scenarios your installation will have to beat the hacker:
- Installed files are copied to another location on the same system after expiry date.
- Installed files are copied to a new system. Though this not a big problem since, this being trail version, you should encourage more people use it.
After all this done, please don’t forget to include a license file to put hackers under legal risk as well.
PS: The author makes no claims that the information above is foolproof. Use this information at your own risk.
More Posts- Software Requirements Document – PurposeI have been reading the book: Agile Software Development by Alistair Cockburn It is a truly interesting book that first speaks about the role of communication in Software Development, how critical communication is for the success of any software project, how all communication is imperfect and how we still manage with it. Here is an [...]
- Tere Bina – Nusrat Fateh Ali KhanThe genius of his master’s voice.
- Career advice for people on top!Well getting on top is tough. But what happens when you get there? There are instances in life where you can get to the top very fast. So you are working for a start up. Within a couple of years you proved yourself to be one of the top performers. What next? So you started [...]
- User StoriesUser Stories are stories narrated by users about how an application or parts of application should function. Enhancements It is comparatively easier for users to write User Stories when they ask enhancements to an existing application. For example while asking for enhancements for Microsoft Outlook, a user may ask for more fields in the address [...]
- Thoughts are things“Thoughts are things” Napoleon Hill once wrote. Like bricks and steel and mortar that make buildings. Just like a brick which is red, shatters when dropped and weakens in water, thoughts have properties. Anger subsides after shouting, encouragement strengthens resolve, love reduces stress and ambition reduces love. And to observe one’s thou […]
- Software Release NumberingAll softwares come with release number. Here is how I think it can be numbered. Every release will be denoted by a four digit release number of the format A.B.C.D where A = Application Life Cycle Number This number is a function of the number of complete Software Development Cycles the application has witnessed. One [...]
- Rainy DayIt is eight o clock in the evening. I am walking out of my house. I climb two stories down and step in between the gates of my building. I open my umbrella. It is raining. A pond of water has collected just in front of my house. I step into it. It is a [...]
- Anjane Raho Mein – Lucky AliOne my favorite Lucky Ali songs
- Fleetwood MacFleetwood Mac was a great band. One of my favorites. Take a look at some of my favorite numbers from them.
- RAStik Feature TourWell, we just finished work on a Project Management System for Registered Accessibility Specialists in Texas USA. It was exiting thing to work for. Just take a look at the features.
- Software Requirements Document – Purpose
December 11, 2007 at 7:10 pm
Many thanks for your article on securing .NET Applications. I am beginer in Windows Forms Application development. I have just finished developing a Windows Forms application and i need to include code to shut out users after the expiry of the subscription period of one if they have not renewed their subscription. How do I do this and where exactly in my application do i place the code. Please assist with the code and where to code it. I am using Visual Basic 2005. Many thanks and looking forward to your response.
May 17, 2008 at 3:50 pm
thakx, is really helpfull
November 17, 2011 at 1:17 pm
Nice useful info. But I feel you should not waste time concocting a licensing scheme from scratch – instead use a ready made system and focus on your main product. Try out CryptoLicensing (and Crypto Obfuscator) for this (See http://www.ssware.com).