License Validation – How to Implement and Call Home

licensing

I am developing an application that, when bought, can be activated using a license.

Currently I am doing offline validation which is a bit troubling to me. I am aware there is nothing to do against cracks (i.e modified binaries), however, I am thinking to trying to discourage license-key pirating. Here is my current plan:

  • When the user activates the software and after offline validation is
    successful, it tries to call home and validate the license. If home
    approves of the license or if home is unreachable, or if the user
    is offline, the license gets approved    . If home is reached and tells
    the license is invalid, validation fails.
  • Licensed application calls home the same way every time during startup (in background). If license is revoked (i.e pirated license or generated via keygen), the license get deactivated.

This should help with piracy of licenses – An invalid license will be disabled and a valid license that was pirated can be revoked (and its legal owner supplied with new license). Pirate-users will be forced to use cracked version which are usually version specific and harder to reach.

While it generally sounds good to me, I have some concerns:

  • Users tend to not like home-calling and online validation. Would that kind of validation bother you? Even though in case of offline/failure the application stays licensed?
  • It is clear that the whole scheme can be thwarted by going offline/firewall/etc. I think that the bother to do one of these is great enough to discourage casual license sharing, but I am not sure.
  • As it goes in general with licensing and DRM variations, I am not sure the time I spend on that kind of protection isn't better spent by improving my product.

I'd appreciate your input and thoughts.

Thanks!

Best Answer

This is not really a war that you can win with the approach you have lined out. As others have pointed out, simply disabling the network, or clicking "no" when the firewall asks you whether or not to allow your application to phone home, will bypass the phone-home. Aside from that, users absolutely hate this type of thing, and you may be required to explicitly have the user tick a checkbox saying that they understand what the system is about to phone home (according to the law in some countries).

So, what can you do? My advice would be:

  • Try to reward your paying customers with value-adds (frequent updates, online tutorials, etc), rather than effectively punishing them.
  • Don't worry too much about pirates. In many cases, they are unlikely to have purchased your software in the first place, the least they can do is spread awareness of your application.
  • If you really can't handle the fact that your software is going to be pirated, make it an online app (if the nature of the software is such that this is possible). There was an interesting article by a developer who made this move, and found that his web version sold far better, was far easier to identify what features users actually used (since it's not really calling home if you're already on the server), and there was far less reluctance for people to whip out their credit cards (sorry - can't find the link).
Related Topic