Protecting a high value C# application with only one user

Question

I have a single application -- written in C# -- which is used by only one user. I provide this software for a very high monthly fee (> $10,000). I'd like to protect this application against use by any other user and I'd like to be able to stop the one user from using the application if they stop paying the license fee.

I know that there is no perfect protection scheme, and I've reviewed the many similar questions on SO, but my question is a little different because I have only one client, I have full access to their hardware, and I don't mind taking even a few hours per installation for a substantial increase in security.

Answer 1

For 10K/month you could afford to run it on your hardware, which you administer, instead of on their hardware. You could put your hardware in a datacentre, to which they don't have physical access.

---

The hardware must be run on hardware at the customer's site.

So, I guess they're sensitive about where their data is located.

There are many 3rd-party licensing solutions (for example, Infralution, .Net Reactor, Oreans WinLicense, Armadillo, XHEO DeployLX, and presumably many more). If you're interested in Microsoft's own solution, see InishTech here and here.

Answer 2

The best solution is probably a combination of popular tactics in use today:

Lock the application down

…to the MAC address, hard drive serial number, and windows product key of the host operating system (if available). You could hard-code this into the application after gathering it at the site. If the wrong hardware is detected then shut it down. Also, look for items in the registry that suggest the presence of VMware or Virtual PC integration features and refuse to run when found.

Obfuscate

…so it will be more difficult to reverse-engineer as well as remove your licensing. CIL is extremely easy to reverse-engineer so this should be a focus with your application (as described) no matter what else you do. This may take a lot of time to get right, especially if you rely on serialization. If possible, wrap all of your assemblies into one EXE file which is encrypted and has an unmanaged bootstrapper.

Send out a heartbeat

…to an offsite server, with hardware or site specific data. If the software is copied and started on another computer you may get a tip. This also has the potential to alert you if the application goes offline. Additionally, you could configure the application to require a basic encrypted response from your server or shut down.

One final note: don’t go overboard. Presumably, you are being paid $10,000 because of the experience of your application over possible alternatives (whatever those are). As you add in protective measures you increase the number of possible (very annoying) bugs, add maintenance cost, and headaches for your customer. A heavily disruptive licensing scheme could make your client think otherwise.