Keep in mind that AIR (and Flash/Flex) code is easy to decompile. So you should know that anything clever you do could be circumvented by anyone with a little time on their hand and some open source development tools. If you don't believe me search on Flash Decompiler and try them out.
Assuming you understand that and believe that the customers for your app are not technically savvy enough to do that, you can implement a form of application registration that requires them to provide information on who they are. You also send along some piece of data uniquely identifying a machine (such as its MAC address). Then each time the application runs it phones home to get an OK to proceed. If you do this you usually want to allow one or two grace sessions if they can't connect to the phone home server, or totally unlock the app if a higher fee is paid.
A key challenge you may find as you dig deeper is that AIR is limited in many ways to the type of info you can access from the native OS. But let's just say that despite the well-behaved and cross platform nature of AIR, a person with enough incentive to lock down the app could find a way to retrieve some uniquely identifying data on a machine. I don't think it is appropriate to post such algorithms here but let's assume that a good hashing algorithm and native file access are the keys to that castle.
BTW, I am not endorsing such things. I have found over the 3 decades I've developed software that attempting to lock people out is the wrong approach. Make it easy to use and love your application and provide incentive for people to pay you for it (premium content, personalized support, additional features...).
I agree with you, but in this case i need to protect the app against the copy and free distribution!
Now i am planning to use the app on localhost only and have no connection to the internet, that's why i am first thinking of the AIR possibility to implement Serial Number equivalent system.
The client and its product are not really target but they require it, I assume, as an industry standard.
One company that claims to provide a solution is Simplified Logic, with their Nitro-LM solution:
I saw some of their stuff presented at the 360|Flex conference in Indianapolis in May, and also talked to some people who've looked into their solution more, and it seems to be the most robust solution that's currently available.
At the conference they announced some new less-expensive options for using their product:
Having said all of this, I've never tried Nitro-LM myself and don't endorse or advocate for them in any way. They're just pretty much the only ones out there that even claim to have a solution.
Seems pretty straight forward, but once again i need a solution that works offline entirely!
right know it seems that i would either need to read chinese (as it seems there the only ones actually doing this but my mandarin is not good enough to understand how they did it!) or have nothing?!!?
I am amaized that there is no solutions for this, how can that be?!
Hi, I'm the principal architect for the Flex/AIR client for Nitro-LM. Is your AIR app "rarely" online, or "never" online?
Nitro-LM does have a rarely used featured called Manual Licenses. It's primarily used in government or other secure facilities where there is little access to the Internet. The API works as follows:
Client application generates a machine fingerprint. This is either carried on a thumbdrive/disk/whatever to some terminal/starbucks/etc that does have internet connectivity. The user then uses the nitrolm.com/support website's Manual License Request website to register and paste in their machine fingerprint code. This will give them an unlock key code that they can carry back to copy/paste into the disconnected terminal.
Inside this encrypted keycode, you can also include additional decryption keys for securing the source code of your app against decompiler attacks.
This isn't the most elegant solution, but there isn't really room for something elegant when you're dealing with easily decompiled interpreted languages in an environment with no internet access.
My application is for now without any connection to the internet, in future release of the application there will be internet connection and your company would be a possible answer to my question.
For now i need a simple serial number like any other normal (Not AIR) Application....
Serial number allowing to install the app (wrong serial and the application does not install) [all that without internet connection]
I am also not worry about decompiler as like in flash if people can see it they can hack it and my product will not be valuable enough for people to waist time on cracking it. (the basic encryption will be enough)
So basically, Nitro-LM wont fit for this first release but i would love to know what ["This isn't the most elegant solution"] i the most elegant solution done in AIRFLEX so far?
I am just not understanding why i can't find anything, every conventional software are using it even thought you can create keygen for it, a simple serial number system would do the trick (please the customer) and if someone crack their serial well that's just life!!!
I no longer use this e-mail account. please contact me at: andrewwestberg[at]gmail.com
sorry about this post guys. my adobe forum account was using an old e-mail address that had an auto-responder attached to it. I guess the post via e-mail feature of the forum still works.
To be honest, I think nobody has developed a simple serial number solution because of the ubiquity of the internet. There just isn't a market anymore for protecting completely disconnected applications (especially Flex/AIR). Most end-users expect applications that are designed to be installed/unlocked/updated/used over the Internet.
If you wanted to create your own simple serial number technique that will work in a never-connected environment, I'd at least recommend hiding the algorithm for verifying that serial number inside an encrypted block of code. Again, not perfect protection against reverse engineering, but it should stop most people if you obfuscate the key a bit.
One technique for this is to hide the key at a random offset inside garbage data. Store what that random offset is at a known location. It at least gives the attacker another hoop to jump through.
See this article:
Did you find a solution to protect your application offline?
Do you know other solutions apart from Nitro LM?
there seems to be no way to do it, although i heard that some chinese had found a reliable way, but as my mandarin is **** i don't know where to look anymore...
I'm sure you don't need your mandarin..