• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

Protecting against unauthorized .jar distribution.

 
Bartender
Posts: 1464
32
Netbeans IDE C++ Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Suppose a commercial software developer has created a library for use by application programmers. When they distribute their applications, they're going to have to distribute copies of the commercial developer's library. Is there any way for the commercial developer to protect against subsequent unauthorized distribution? When an application library is statically linked, it's mixed into the .exe, so there's no way to extract it and no way to access its functions. But, a .jar file (and, for that matter, a .dll) is independent of any particular application's code, and can be accessed by anyone who has a copy.

If a vendor is selling .jars/.dlls, how do they avoid lost sales when products developed with their .jars/.dlls are sold and include them?
 
Saloon Keeper
Posts: 13197
286
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
License validation.
 
Stephan van Hulst
Saloon Keeper
Posts: 13197
286
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are of course other options, but I believe that using licenses is a relatively painless way that will dissuade casual pirates. More complex DRM options will often just annoy users, while doing little to hinder determined pirates. This in many cases has actually led to reduced sales.
 
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As the saying goes "The more you tighten your grip, the more downloads will slip through".
 
Saloon Keeper
Posts: 7073
165
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In addition to using license validation, you'll want to obfuscate the jar file as much as possible using ProGuard or something similar. While not perfect protection, it will deter casual attackers.
 
Stevens Miller
Bartender
Posts: 1464
32
Netbeans IDE C++ Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Dave Tolls wrote:As the saying goes "The more you tighten your grip, the more downloads will slip through".

That sounds oddly familiar...

License validation is great when the product is in the hands of the application developer, but does it work in the hands of the subsequent purchaser of the application itself?

That is:

1. Commercial .jar writer, C, creates a .jar, J.
2. C sells a license to use J to D, an application developer.
3. D uses J, which validates its license upon installation, to develop an application A.
4. D sells copies of A to users X, Y, and Z.
5. Because A must have J available at run time, X, Y, and Z all have copies of J included with their copies of A.

Does license validation do anything to stop X, Y, or Z from using J in their own applications?

Seems like it would be a bit cumbersome to have J validate its license upon distribution, but I'm quickly seeing how it (J) could be coded to validate only on use in development. How would J "know" if it were being used for development, as opposed to just being used in a distributed application?
 
Stephan van Hulst
Saloon Keeper
Posts: 13197
286
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ah yes, I didn't think your scenario through. There's nothing you can do to stop this, because a developer is essentially also an end-user. If end-users are allowed to use your library for free, then logic dictates that developers can as well.

I think in such a scenario it's easier to get income from support contracts, updates, training and documentation than it is from the product itself. If your product isn't very expensive, you can hope that many people are still willing to pay for it.
 
Tim Moores
Saloon Keeper
Posts: 7073
165
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think that's an implementation detail that may differ between licensing solutions. Maybe check out a few of the available solutions to see how they handle it: https://coderanch.com/wiki/660089/Wiki/Java-Programming-Java-Forum#licensing
 
Stephan van Hulst
Saloon Keeper
Posts: 13197
286
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't think that's an implementation detail. It's theoretically impossible. Creating different licenses for an end-user library and a developer library can be done, but what's stopping a developer from developing against an end-user library?
 
Stevens Miller
Bartender
Posts: 1464
32
Netbeans IDE C++ Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:...what's stopping a developer from developing against an end-user library?


Precisely.

People who sell controls (by which I mean things like JButton and JSlider) must face this problem. Microsoft has tried to deal with this for the specific case of Visual Basic controls by detecting the use of the control in a design context, versus in an application run-time context. That is, anyone may use the control at application run-time, without a special license or anything else. But, the control software can somehow detect if it is being used in the Visual Studio IDE and, in one way or another, refuse to play nice unless it also detects the presence of a license (which is not distributed with the application). I am guessing this doesn't stop a dedicated pirate from incorporating the control into an application by instantiating it purely in code at run-time (and not using the IDE to add it to their application), but it does give the pirate some incentive to cough up the money for a developer's license.

For a library with no IDE component, however (say, something that does encryption, or predicts the outcome of political races) I don't see any way for the library to "know" if it's being used for development or in an application at the application's run-time.

One could, I suppose, incorporate a component into the application, something that would "activate" the library. The library alone wouldn't be useful without that component. But that's going in the direction that Stephan and Dave have observed tends to just annoy users and cost more than it saves. Java being what it is, it would be difficult to obfuscate that to the point where it was a reliable form of protection.

Does anyone know of a library that is available as a commercial product that's in common use? I assume they exist, so maybe just looking into a couple of those will show me how the big boys and girls deal with this.
 
Tim Moores
Saloon Keeper
Posts: 7073
165
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:I don't think that's an implementation detail.


I may not have phrased it well. By "implementation detail" I meant that this is something that differs between implementations - which is why I linked to several, some of which are open source, so it's possible to check out what, if anything, they do about this.

Stevens Miller wrote:Does anyone know of a library that is available as a commercial product that's in common use? I assume they exist, so maybe just looking into a couple of those will show me how the big boys and girls deal with this.


See the link I posted earlier; it points to several products.
 
Thanks tiny ad, for helping me escape the terrible comfort of this chair.
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic