Secure solution for binding Java application to user / computer

Question

Is there a secure solution for Java apllications to bind them to a specific user or computer eg by using the MAC adress (unsafe because can be changed?) or any other hardware specific data?

We dont want to create hardware solutions like usb sticks / dongles bu need to check if the user of the software is allowed to use it.

Generally which is the best option against software piracy?
Always-online?
Server-check?
Using hardware data for identifying?
...

Answer 1

One popular trend is when the software checks license validity on startup (or regularly) with the central server. This way you can revoke a compromised license. There are probably a number of services that will manage these licenses for you, I saw Esellerate used.

At the same time, any protection you add to your Java app can be easily reverse-engineered or simply overloaded, unless you go to great lengths obfuscating and securing the code. It is a very hard task and the results may not be worth the effort.

Some companies (e.g. one where I work) do not go to great lengths beyond basic license generation/verification code. A combination of trusting customers honesty and providing support only to valid license holders works well.

Answer 2

Using a combination of local system identification and an online check has worked effectively for me in the past; the two are perhaps not mutually exclusive. You could obtain various system related properties by using one or more of the following methods:

System.getProperty("user.name");

System.getProperty("user.home");

System.getProperty("os.arch"); // the operating system architecture

System.getProperty("os.name");

System.getProperty("os.version");

These details could be then hashed using the java.security.MessageDigest package and associated with your users account on the server. Authenticating the user and machine would then be as simple as having your client software send the resulting hash to the server as part of its start up routine.