1 Reply Latest reply on Jun 6, 2008 11:11 AM by Joe ... Ward

    Application protection

    John Hall Level 4
      So I'm starting to love AIR as a development platform. Now that I'm about 1/3 of the way developing my application, can someone point me to resources where I can secure the application (ok, so I mean sell it and not make it easy to copy). I know that swf files can always be reverse-engineered but I'm talking about the normal user who is willing to purchase a program. How can I make a trial version that times out? How can I set some config value that knows whether they are registered, i.e., paid, or not? Thanks for any links so I can read.
        • 1. Re: Application protection
          Joe ... Ward Level 4
          Data in the encrytped local store is bound to the machine and install directory and can't be altered except by your application. If you store your registration key there, it could not be modified or copied to another machine.

          So for your scenario, you could record the first use date in the encrypted local store (ELS), and check that on startup. Then, when the user registers the app, you also save some sort of registration key in the ELS. If no registration key is present and the elapsed date since first use has passed your trial period, then you present your "buy or quit" message.

          How you implement the registration key is up to you. AIR provides an XMLSignatureValidator class that could be part of the solution. For example, the registration key could be a signed XML document. Your app could then validate that you signed the reg key.

          Now this key could be used on any computer, so your app could still be copied. For copy protection, you could require the user to log into an account on your web server and have your app get the key directly. For even more security, you could have your app store a random value in the ELS. Your app would send this value to the server as part of registration. The server would add the value to the reg key before signing it and sending it back. The app could then validate that the value in the reg key matches the original value in the ELS.

          I've seen small developers do this without any server infrastructure by forcing the user to send an e-mail containing a random value generated by the app to the company, who then return a reg key via e-mail. Frankly, it was annoying since every time you re-install or upgrade to a new computer, you had to contact them for a new key. The scheme prevented copying, but also, I think discouraged people from using the product. For example, I don't use it anymore, even though it might still be useful. So try to stirke a balance between copy protection and convenience.