Sunday February 05 , 2012

Handling a Compromised License

Cliff Hall, CEO

Mar 09 |21:04 PM
Last Updated on Tuesday, 09 March 2010 22:18

The Risk

For a site license for a Flex web application, there is no issue; the app will only run from the licensed site, period. Anyone stealing the license key by decompiling the application will only get a string of meaningless numbers that are good only as an index to retrieve a encrypted ball of license data, which can only be decrypted (and considered valid if not disabled or expired) when the app is running from the licensed site.

But for desktop applications, the license holder's name and email address is required in addition to the key in order to decrypt the license and examine for validity. Therefore the info that unlocks the license must be well protected by your application, and must be closely held by the user.

Prevention

Make sure that the License Holder name and email that you issue a license to matches that on file with your payments vendor.

For instance, if you sell licenses through Paypal, Google or Amazon, these payment vendors will associate a name and email address with the purchaser. Likely this is connected to their personal credit card or bank account. Since these two pieces of information are required along with the License Key you issue in order to enable your application, you can be relatively sure that the user will not want to share these around the Internet.

Encourage your users to remember that this important information should never be shared with anyone. Make it part of the Terms and Conditions of their License that if they are negligent in protecting this information, you may disable the License without a refund. But remember even though your customer may not share the information, it could become compromised in other ways. The user could lose a printed copy of the email or their laptop could be stolen.

When your application stores the user’s License Holder info and License Key, make sure to store it in an encrypted format.

You will probably not want your user to have to enter their License Holder info and License Key everytime they run the program. To ensure that a hacker with control of the user’s machine can’t just look at your application’s preferences and scrape out this sensitive information, you need to take steps to keep it safe.

Fortunately, if you are using Adobe AIR, this is dirt simple; use the encrypted local store (ELS).

License Disablement

If you discover via Twitter, a whistleblower or whatever medium that a particular License Key and its associated License Holder info has been shared around on the Internet…

  1. Launch or switch to the Zarqon Desktop Control Center
  2. Select the License Holder in question.
  3. Select the License in question (a License Holder may have multiple Licenses for the same or different products).
  4. Revoke and Save the compromised License.
  5. Click 'Send Email' to inform the License Holder of the action.
  6. All copies of the application using the given License can assume a disabled behavior.

NOTE: If you are doing one-time validation of the License at installation of your product, disabling the license will only keep any future installations from being successful. Only if you are actively validating the License at each launch can you disable all copies using the compromised License.

After validating the license with the Zarqon API, your application should always check the enabled property of the fetched License.

The enabled property of the License will be false if you’ve disabled the license as described above, or if the License has expired.

The behavior your application takes when disabled is up to you.  One idea is to refuse access to all functionality and display a modal popup that tells the user that if they are the actual License Holder, they should contact you to report the problem. Another possibility is to revert to an ad-driven mode until a valid License is supplied.

Handling a Compromised Key When Reported by the Owner

If a License Holder contacts you from the email address you issued the License to and reports that it has been compromised, or that their application has stopped working (after you have disabled it)…

Assuming you believe the License Holder wasn’t negligent in their protection of their License Holder info and Key and you wish to get them running again:

  1. Ensure that the user is in control of the email address by sending a response back to that same email asking for a confirmation reply. This rules out spoofers of that email address who say they are that user but cannot actually retrieve that user’s email.
  2. Once you are sure you are communicating with the original License Holder and wish to give them control of their application again, it is best to disable the previous license and issue them a new license with the same License Holder and Product attributes as their previous License.
  3. Then email them the new License and ask them to take better steps to protect their information.
< Prev   Next >

Zarqon AIR Demo

Zarqon AIR Demo

Zarqon Flex Demo

Zarqon Flex Demo

Did You Know...

AES Encryption is Strong Enough for Government Work

In June 2003, the US Government announced that AES encryption (the cipher used by Zarqon to encrypt license data) may be used to protect classified information:

"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level."

Believe It or Not...

Amazon S3 is Reliable Enough for Wall Street

"Nasdaq stores many terabytes of  NYSE, Nasdaq and Amex data in Amazon’s storage cloud," according to Claude Courbois, associate VP, product development.

"Nasdaq adds 30 to 80 gigabytes of data every day to the cloud, about 300,000 flat files, each representing 10 minutes’ worth of trading activity on a stock.”