I’m currently using a simple XML file that contains license information along with the data’s signature and public key. So far, this method is working great. However, I’m seeing one rather large security flaw…
When my ASP.NET MVC application starts, it verifies the license and sets the ‘ValidLicense’ bool property accordingly. During each request, this property is checked and an error message is displayed if the license is invalid.
As you can guess, there’s absolutely nothing to stop a competent user from simply modifying my assembly to set ‘ValidLicense’ to true regardless of the license’s validity. I know this can be done to pretty much any application, but it seems incredibly easy to do with .NET assemblies.
What are some ways that I can stop this from happening, or at least make it a little more difficult to crack the license verification procedure?
I’d rather stay away from assembly encryption and obfuscation systems, if possible. Go ahead and suggest them if you feel that they are good enough to warrant the cost and extra headache, however.
The only way to win is not to play.
The people who are going to steal your stuff (regardless of what protections you put in place), are not the people who are going to pay for it if it’s too hard for them to break.