DRM & Piracy

Software licensing like Moonbase provides is a form of digital rights management (DRM), and an obstacle for software pirates who want to use what you build without buying it.

And when talking about the software licensing Moonbase offers, we often get the question of "how secure is it?". So let's dive into what deterrents you can choose to implement when building software, and figure out which ones makes sense in the first place!

Software Licensing

To ensure that any users of your software has the rights to use it (they may have bought it, or are trying it out for a limited time), we need to be able to give them something unique to unlock it. That unique thing can come in many forms;

CD keys

Remember activating Windows back in the day? Or software coming on CDs? Anything where you had to enter a license key, and the software would be unlocked.

Great if you don't have internet, and will always work no matter what. The way these usually worked was by using some ideas from cryptography to be able to generate keys that would be valid, but spread far apart to become unguessable. Having a strong cryptography solution for this is, as you might imagine, critical to this solution, and a place where many apps have introduced issues. There's a couple of issues with license keys like this though;

1. Unless you do the cryptography correctly, so-called key generators could be made to produce illicit license keys
2. A key will work on any number of devices, there is nothing preventing sharing
3. You cannot ever revoke keys should they be leaked or stolen

So while this approach of license keys worked for the last century, we have better options.

License identifiers

Taking a step onwards, some companies choose to provide you with an identifier of your license that the software can check online. This check can then include a fingerprint of the device being activated, and given the right systems powering the APIs for this, you can have a lot of control over what can and cannot be activated.

Compared to CD keys, this approach solves a lot of the issues: there is no local check of the license, so key-generators won't work, license sharing can be prevented given the right fingerprinting techniques, and licenses can be revoked to restrict access to illicit keys.

However, this approach introduces some problems that CD keys didn't have;

1. You always need an internet connection to activate and keep using the software
2. You need to keep your key server online forever
3. There's no inherent way to authenticate users to let them revoke device activations

There's no doubt this is a step in the right direction, but can we combine the best of both worlds? Find a strategy that supports both online and offline activations?

License tokens

As we've figured out above, being able to fingerprint and activate specific devices is key in enabling a licensing strategy where you are able to revoke and move keys around, without opening up for endless license key sharing. And one way to do that smoothly is by attaching license ownership to user accounts. By having user accounts, you can also offer portals where users can manage all of their licenses, and offer streamlined product activation flows.

Similarly to the license identifiers described above, also in this flow we can ensure that activated products are activated for a specific device. What is different in this flow is that by removing the user-entered license key, we can afford to generate much more complex keys than might fit in a purchase receipt. Specifically, keys that are created for the specific device!

Moonbase license tokens are issued as JWTs for example, where we can attach a number of claims to the license, one of which being the fingerprint of the device being activated. If you want more details on this, check out our license token documentation, where you can see all the claims we currently add. JWTs are Json Web Tokens, and is a way to combine a set of properties with a signature verifying the legitimacy of those properties. The JWT tokens issued by Moonbase are signed using RSA 2048-bit key pairs, unique to your Moonbase account.

You might think that requiring the user to log in to your software creates a point of friction, with quite some development work needed, and we tend to agree! That's why we've also built APIs and UI to let apps merely open a webpage to activate themselves. From experience, we know that users of your software are usually already logged in to your customer portal, making this flow practically a 1-click-activation flow! An example implementation guide can be found in our SDK documentation, and you can always contact us for more support implementing this.

This handles online activations, but what about activating offline devices? If this is not a requirement for your customers, then feel free to skip ahead, but for some industries it's a must-have. The key part to understand here is that in the flow sketched out above, it doesn't really matter if the customers logs in to fetch a license on the device that has the app installed, or another device, as long as they can bring a device token with them - something to identify what device they are trying to activate, something we call a "device token" or a "machine file". This UI comes out of the box with Moonbase, and you'll also have the APIs to build it into your own storefront if you want to:

The license tokens generated this way will still be issued for the specific offline device being activated, and you will have the means to validate that it is indeed a legitimate license token issued for the given product and device.

Compared to the other strategies, we now have a combination of:

1. Supporting both online and offline activations
2. Ability to let users or merchants revoke licenses
   • Except for offline activated devices, as they will have no way of knowing they have been revoked
3. Smoother activation flows where users can get going in a single click

If you want to achieve the best licensing strategy for your apps, sign up today!