Jump to content

Licensing and protecting unigui apps

Skepsis IT

Recommended Posts

  • 3 weeks later...
the best way and you publish the application on your server, where only you will have access, so you will be able to cancel access to the system at any time.


if this is not possible, create a routine to authenticate your application on your server to check the license data.

Of course in this situation, your customer will depend on having internet available to do this check if your system is running on a LAN without internet, there is very complicated to have a safe solution.


finally, the use of plugs (USB) protection
Link to comment
Share on other sites


thanks for the answer. Actually I agree with you, but all those that you mentioned are very generic protection/security issues, that more or less anyone of us knows. What I was asking for is for a ready to go solution, not to implement it at my own. There is no time for that :)


Moreover I finally found such a system, at nice price. I have use it at my VCL products already, I believe that it will work ok with unigui projects also. When I try it and I am sure that it works, no problem to share it with you (of course what is the product, not the product itself :)).

Link to comment
Share on other sites

I also researched this a bit, and came across VCL components that do this, there was one in

the JEDI library I think.


Anyway, these components often come with lots of complexity, and it easily takes more hours

to read and understand all that, than to create a simple solution, I suspected.


So I made a simple solution, using an online activation concept, where I just run a simple

HTTP GET towards the online DB, using a very small PHP script which checks username

and password of the online account.


If that exists, and the license is valid, then I store the username both in plain form

and in encrypted form in the local DB (this was for desktop app in Lazarus), and 

always decrypt and check this on app startup.


The user DB you already should have, the PHP script is like 20 lines,

the client HTTP GET routine is very simple...and the only thing that 

takes a little time is writing the storing/reading with encrypt/decrypt,

using some library, but anyway it boils down to 20 lines of code,

and that is it.



But you can make it even simpler, since this app runs online.


Just do a HTTP GET every time the servermodule loads,

and check license data - no need to store anything.


if not HTTP-GET(licensedata)=OK then close;


I guess the response should not be some static piece of

data, as that could be hacked by changing hosts file and thus

routing the request to some local fix, but encrypt some

time varied data, send it and modify it and get it back and

and then decrypt upon receipt - like the current date and time

for instance.


You can check this onstartup or as often as you like,

or on specific routines. All you need is a modified encrypted

response to your encrypted request, from your licensing server,

and if you already have SSL setup then there is no need

for extra encryption even. JUst a simple HTTP GET DB check.


This assumes the customer is online constantly.


If not, you can require the customer to be online for licensing only.


Who would reject that, claiming that they can never be online?

Hard to believe - since they probably found you online anway.

I dont buy that - everybody can access the net for a little time

to activate, unless you are in the middle of %¤&%¤ Amazon Jungle,

but then this is such a special customer that he can pay big time

and you need no protection, or he is working for secret intelligence

and then also there is unlimited money in the black budgets.


So I suggest, Keep It Simple, demand online activation, go SSL, 

do a simple HTTP GET check for license info on startup and thats it.

  • Upvote 1
Link to comment
Share on other sites

I agree with you about the complexity that all those solution offer. The solution that I've selected works something like you described with online checking. Moreover if there is no problem with the forum I can state the name and url of it.

Link to comment
Share on other sites

  • 1 month later...

Hi, thank you skepsis.

If i understand, the protection below requires knowledge customer's computer (serial ID,...) which does not conform to the web concept (universal client end user machine) !


I think a good way is a simple login form. See adragan topic #4



Link to comment
Share on other sites


it matters the way that you want to distribute your software. For example if you want to deploy as an exe to a customer's pc that you don't have access then it is ok. But if you distribute software with a pay as you go model then adragan topic is more relative.



Link to comment
Share on other sites

  • 3 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...