I need to make a code for use license, for example:
My clients pay monthly for use of our system, however these clients have the application installed locally in their companies.
I need every month to be validated if the customer paid the monthly fee and thus releasing another month of access. This check I believe is via WebService.
Is there a gem or some way to do this?
Regardless of language or platform, locally installed programs with license to use can never have complete security against misuse. This is true even for extremely complex software written in machine language (see Windows).
From my point of view, the whole security issue can be summed up in making the copy difficult enough to make it worthless.
For dynamic languages such as Ruby, this can be done by obfuscating the code of some classes to prevent a mere "fader" from finding a single line of code and "hacking" the program.
From this reasoning, it is possible to establish a series of strategies, whose effectiveness will depend on the commitment, knowledge and even luck of some possible "pirate."
What criterion is used for your program to know if it is original?
Calling a Web Service is an exit, but it can be very trivial. Someone with no knowledge of Ruby can monitor the network using a "Network Monitor" and create a fake service to simulate the return of success.
I do not have a definitive answer to this, but an interesting output would be to establish an algorithm that generates codes based on the current date (month). Without the insertion of a code every month the program stops working.
The program would not generate the code, but would retrieve it from the Web Service. This prevents the user from reusing the license from previous months.
Do not check the validity of the license only at program startup. Once a colleague circumvented the 30-day test of a program by making a simple% of% that:
In addition, this will make life difficult if a possible "hacker". At first it can circumvent the boot class and will be satisfied. But as soon as you open the first screen of the program, it will see another point where the license is checked.
If the limitation is applied to several important points of the system, at least it will decrease the attacker's mood.
Nothing is easier than finding plain text content and organized directories.
An important step to avoid the "breakdown" of the system by laypeople is to make it obvious where the license is stored or verified.
We all know that security by obscurity in general is not good. But in that case, make it take more effort to do this, make it necessary to know about various technologies to find out how your license system works.
For example, encrypting files locally using symmetric keys and keeping the hard-coded password in the program does not give much security. But it gives enough security so that a curious person can not see the information and it is necessary to search the entire program to find this password.
Otherwise, there are some tools that obfuscate the code in some intermediate format. For Ruby, I found only the rubyencoder . Basically it encrypts its sources and then uses a native extension in C to decode and load the code at runtime.
Something problematic in dynamic languages, especially when they use metaprogramming is that they obfuscate certain Code snippets break the program because it depends on the name of the parameters, attributes, and classes. Therefore, I suggest to overshadow only utilitarian classes related to licensing and not the main classes of the system.
Another measure to avoid piracy is not to distribute full versions for demo and not to distribute the code of features that certain customers did not hire.
If you make a modular system, it will prevent someone from unnecessarily getting the full code and then copying and forwarding it to others.
Your program can check the license with some frequency using the Web Service, for example, every week.
Check the IPs and number of calls to find evidence of unauthorized copies of the program.
Do not forget to put all the information about licensing, access to the web service and monitoring in a contract.
Do not do this in a hidden way, otherwise some client may sue you for privacy intrusion or something.
