Blog on Software Licensing, Commercialization, and Revenue Optimization

Introducing reseller portal for software licensing

Since the end of last year, we have made the reseller portal generally available for all users. We would like to thank all our beta customers for their feedback during the development process.

Idea

The goal behind the reseller portal is to allow you to delegate license issuance rights to other users. This can be your resellers/distributors, IT-admins of your customers or your employees. In other words, “reseller” can be any user that should only be able to create specific amount of new licenses based on a pre-defined template.

The reseller portal also introduces new logging capabilities. All events related to new licenses, customers, etc, are stored in the object log. Thanks to this log, you can, for instance, bill your resellers or customers only when they have successfully created a new license.

Getting started

Once you have created a new account, the reseller portal will be available in the top menu. If you are an existing customer, you can enable it on the billing page. As the next step, we recommend to check out the wiki page for more information.

Please let us know if you have any questions 🙂

Rust code for software licensing

Today we have released a library that you can use to implement license key verification for applications written in Rust. The library is freely available on GitHub.

To verify a license, you can use the code similar to the one below. More information about the parameters can be found here.

use cryptolens;

fn main() {
  let license_key = cryptolens::KeyActivate(
      "WyI0NjUiLCJBWTBGTlQwZm9WV0FyVnZzMEV1Mm9LOHJmRDZ1SjF0Vk52WTU0VzB2Il0=",
      cryptolens::KeyActivateArguments {
          ProductId: 3646,
          Key: "MPDWY-PQAOW-FKSCH-SGAAU",
          MachineCode: "289jf2afs3",
          .. Default::default()
      }
    ).unwrap();

  let public_key = r#"<RSAKeyValue><Modulus>khbyu3/vAEBHi339fTuo2nUaQgSTBj0jvpt5xnLTTF35FLkGI+5Z3wiKfnvQiCLf+5s4r8JB/Uic/i6/iNjPMILlFeE0N6XZ+2pkgwRkfMOcx6eoewypTPUoPpzuAINJxJRpHym3V6ZJZ1UfYvzRcQBD/lBeAYrvhpCwukQMkGushKsOS6U+d+2C9ZNeP+U+uwuv/xu8YBCBAgGb8YdNojcGzM4SbCtwvJ0fuOfmCWZvUoiumfE4x7rAhp1pa9OEbUe0a5HL+1v7+JLBgkNZ7Z2biiHaM6za7GjHCXU8rojatEQER+MpgDuQV3ZPx8RKRdiJgPnz9ApBHFYDHLDzDw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"#;

  match license_key.has_valid_signature(public_key) {
    Ok(true) => { }
    _        => { println!("Signature check failed. Aborting!"); return; }
  }

  println!("Successfully activated license key: {}", license_key.Key.unwrap());
}

As always, let us know should you have any questions!

Autodesk Revit plugin software licensing

Autodesk® Revit is a powerful building information software, which allows developers to extend its functionality through plug-ins that can be written in either Python or .NET. In order to monetize your plugin, we need to implement a license verification mechanism and a way to accept payments from prospective customers.

License verification

Python plugins

If your plugin is written in Python, you can use the Python2 version of our Python client. A simple license verification can be performed with the code below (your specific parameters can be found here):

from cryptolens_python2 import *
HelperMethods.ironpython2730_legacy = True

pubKey = "<RSAKeyValue><Modulus>sGbvxwdlDbqFXOMlVUnAF5ew0t0WpPW7rFpI5jHQOFkht/326dvh7t74RYeMpjy357NljouhpTLA3a6idnn4j6c3jmPWBkjZndGsPL4Bqm+fwE48nKpGPjkj4q/yzT4tHXBTyvaBjA8bVoCTnu+LiC4XEaLZRThGzIn5KQXKCigg6tQRy0GXE13XYFVz/x1mjFbT9/7dS8p85n8BuwlY5JvuBIQkKhuCNFfrUxBWyu87CFnXWjIupCD2VO/GbxaCvzrRjLZjAngLCMtZbYBALksqGPgTUN7ZM24XbPWyLtKPaXF2i4XRR9u6eTj5BfnLbKAU5PIVfjIS+vNYYogteQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"

res = Key.activate(token="WyIyNTU1IiwiRjdZZTB4RmtuTVcrQlNqcSszbmFMMHB3aWFJTlBsWW1Mbm9raVFyRyJd",\
                   rsa_pub_key=pubKey,\
                   product_id=3349, key="ICVLD-VVSZR-ZTICT-YKGXL", \
                   machine_code=Helpers.GetMachineCode())

if res[0] == None or not Helpers.IsOnRightMachine(res[0]):
    print("An error occurred: {0}".format(res[1]))
else:
    print("Success")
    
    license_key = res[0]
    print("Feature 1: " + str(license_key.f1))
    print("License expires: " + str(license_key.expires))

C# or VB.NET

If your plugin is either written in C# or VB.NET, you can use our .NET library instead. To add it to your project in Visual Studio:

  1. Right click on your project in the Solution Explorer and click on Manage NuGet Packages.
  2. Search for Cryptolens.Licensing and install it.
  3. Add the code-snippet form this page in the code where the plugin loads for the first time.

Accepting payments

One way to sell an Autodesk Revit plug-ins is by publishing them in the Autodesk App Store, where a basic licensing mechanism is already provided. The problem with this approach is that the licensing models available are quite limited (eg. you can only charge your customers once for the plug-in and they will be able to use it in perpetuity). For instance, selling your plug-in as a service (subscription model) is not supported.

A better approach is to still publish your plug-in in the Autodesk App Store and set it to be a free app. You can then ask your customers to get a separate license key to be able to unlock all features.

You can read more about various ways of selling your software in our help pages. I would also recommend to check out the available licensing models.

If you have any questions, please feel free to reach out!

Tips on monetizing Python applications

Python can be used to develop a variety of applications, either as plugins (eg. for Discord, AutoCAD, Autodesk Maya, etc) or standalone applications. In this post we will focus on how to monetize a standalone Python application.

Let’s say you have developed a Python application that classifies images (eg. using tensorflow or pytorch). To start selling it, there are just three things we need in place:

  • Code obfuscation – to ensure that no one can reverse engineer the application.
  • License verification – to ensure that customers need a license key before they can use the application (eg. so that you can restrict which features they can use and how long the license is valid).
  • Webshop – so that customers can obtain a license key to unlock functionality.

Code obfuscation

To obfuscate your application, multiple tools can be used. You can either use packages such as pyarmor that are made to obfuscate Python code or open source tools such as pyinstaller in combination with cpython (for most sensitive code).

License verification

A license key can be easily verified using the code below. You can find more information about the parameters here.

from licensing.helpers import Helpers
from licensing.models import Response, RSAPublicKey
from licensing.methods import Key

pubKey = "<RSAKeyValue><Modulus>sGbvxwdlDbqFXOMlVUnAF5ew0t0WpPW7rFpI5jHQOFkht/326dvh7t74RYeMpjy357NljouhpTLA3a6idnn4j6c3jmPWBkjZndGsPL4Bqm+fwE48nKpGPjkj4q/yzT4tHXBTyvaBjA8bVoCTnu+LiC4XEaLZRThGzIn5KQXKCigg6tQRy0GXE13XYFVz/x1mjFbT9/7dS8p85n8BuwlY5JvuBIQkKhuCNFfrUxBWyu87CFnXWjIupCD2VO/GbxaCvzrRjLZjAngLCMtZbYBALksqGPgTUN7ZM24XbPWyLtKPaXF2i4XRR9u6eTj5BfnLbKAU5PIVfjIS+vNYYogteQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"

res = Key.activate(token="WyIyNTU1IiwiRjdZZTB4RmtuTVcrQlNqcSszbmFMMHB3aWFJTlBsWW1Mbm9raVFyRyJd",\
                   rsa_pub_key=pubKey,\
                   product_id=3349, key="ICVLD-VVSZR-ZTICT-YKGXL", machine_code="test")

if res[0] == None:
    print("An error occured: {0}".format(res[1]))
else:
    print("Success")

Webshop

When you have obfuscation and license verification in place, we need a way for customers to be able to order a license key. If you already have Stripe, you can use the recurring billing module, which acts like an interface for plans defined in your Stripe account. In other cases, you can either use payment forms or a different platform (please read more here).

Questions? Please reach out to us at support@cryptolens.io 🙂

Offline SDK protection in .NET with software licensing

A common way to distribute functionality is by creating an SDK that can be consumed by developers inside their own application. The advantage of shipping functionality as an SDK is that you can focus on improving the core algorithms without the need of creating a separate GUI for a specific use-case.

Cryptolens already offers a way to protect SDKs and today we would like to introduce a new way that was specifically developed for .NET libraries that are permanently offline or where a perpetual licensing model is preferred.

How it works

The idea behind the new SDK licensing technique is to require developers to sign the application that will use your SDK with a special utility. When this is done, a new file with the certificate will be created in the same folder, which can later be verified when the SDK is called. This ensures that only authorised developers can develop applications that use your SDK.

Inside the SDK, you only need to call Helpers.VerifySDKLicenseCertificate() with your RSA public key, and it will make sure that the certificate is valid. A nice feature of this method is that it also returns a LicenseKey object, which you can use to decide which features should be available, etc. You can see a demo of this here.

In order to sign an assembly, developers can use a special utility that is available open-source on GitHub. Developers need to provide their license key and the assembly signing utility will automatically send their machine code so that you can control which developer machines can perform the signing operation.

Getting started

To get started, please check out the tutorial for SDK developers on the following page. All the helper tools and demo projects are available open-source in our GitHub repo.

Metered usage with Stripe recurring billing in software licensing

A year ago, we released the recurring payment module to the customer dashboard, which allows your customers to sign up for plans and instantly receive the license key.

This has now been extended with the option to record usage in addition to the subscription fee. It is quite useful if you offer some features on a usage-based basis (eg. yearly report generation in an accounting software). It can also be used to to charge for API calls or other types of method calls.

In .NET, usage can be tracked with a one line of code:

var res = Subscription.RecordUsage(auth, new RecordUsageModel { Amount = 1, ProductId = 3349, Key = "CMXKC-GUQRW-EJUGS-RRPUR" });

It quite easy to get started. Please check out this article for more information. You always welcome to reach out to us should you have any questions 🙂

Sign up customers automatically for the customer portal

A recent addition to the platform is the ability to sign up customers automatically to the customer portal. Instead of creating a customer manually or through the API, you can publish a generic link that will automatically register a customer with your account. This link can be found on the customer page.

In addition to allowing your customers to see their current licenses, the customer portal gives them the option to order new licenses as well as use their login credentials instead of the license key when unlocking your software. We will cover each case below.

Why customer portal?

Listing licenses

When you assign licenses to a customer account, your customers will be able to see all their licenses and their properties, such as the set of features they are entitled to and when they expire.

Recurring payments

If you have set up Stripe with your account, you can allow your customers to sign up for a plan in the customer portal and get instant access to a valid license key. They can also easily manage their subscriptions. You can read more about how you can get started here.

User account authentication

Instead of using a license key, you can allow your customers to authenticate using their login credentials. Cryptolens has developed a state-of-the-art protocol that preserves the privacy of your customers (more information about the protocol can be found here). You can read more on how to get started here.

Be careful with sessions: Garmin Connect App example

It’s not uncommon nowadays to see people with a smartwatch, be it Apple Watch or another brand such as Garmin. I think there are many advantages of using one; to me, it’s about keeping track of exercises in the gym as well as other parameters such as stress and sleep.

Many smartwatches record a wide range of data points: puls, movement, altitude and location. This amounts to large amount of data, which can be used to infer various things about the individual. Therefore, it’s important to keep this data safe.

In this post, I would like to share the security issue in the Android version of the Garmin Connect app and list several tips on how this can prevented when you work with sessions in your projects.

Background

When developing an application that requires user authentication, most of the time one needs the state to persist so that users don’t need to enter the username or password each time they visit a new page. Sessions can help us to accomplish that. Using sessions is less secure than asking for credentials all the time, but it’s trade-off that most of us can accept.

The issue

Before we start: I have confirmed with Garmin that they have fixed the issue before publishing this post.

Early in April last year, I changed my password to Garmin Connect on their website. I was already logged in into the Android version of the Garmin Connect app with my old password and my expectation was that the app would ask me to re-authenticate at some point. But, it did not. I cannot tell how long the session would persist, but I could keep using the app for several weeks with the old session.

The problem with such a long session duration is that it gives users a false sense of security when they change their password. For example, imagine that the user had a weak password at some point and an adversary was able to login and obtain a new session. Even if the user would have changed the password later, an adversary would still have access to their health data.

If this problem would have occurred in, let’s say, the Neftlix app, I would not be as worried, but since Garmin Connect stores large amounts of health data, I felt like that the consequences of a potential breach could be huge.

Proposals

After filing this security concern to Garmin, I proposed the following changes:

  • Make sure that sessions are reset everywhere (especially in the android app) during a password reset (or at least offer the user the choice of selecting this option on the website)
  • Time-limit the sessions on the mobile devices
  • Enable two-factor auth for each account

Conclusion

To sum up, whenever you have to persist a state, make sure that sessions expire at some point and that users have the option to log out from all devices. It’s always a trade off between security and convenience, so when you decide the session length etc, you need to take into account the impact of a potential breach, etc. In some cases, you can require users to re-authenticate if the operation is highly sensitive.

Managing app settings in software licensing

When developing apps, you will likely need to store some metadata. This can either be specific to a certain user or be shared among all users.

Data objects offer an easy way of managing metadata either on the product, license key or machine code level. They are quite useful since it’s easy to change them as your application evolves and user-specific data will stay the same across all devices.

In this article, we will cover data objects associated with a product.

Editing metadata

To add or edit data objects on the product level, you can click on the Data Objects link as shown below:

On the next page, you can either add or edit existing data objects. The names are case-sensitive and duplicates are not allowed.

Retrieving metadata on app start

Let’s assume our application needs to obtain the currently supported DOTNET_RUNTIME (which we defined in the previous step). This can be accomplished with the code below (the project files are available here).

To get it up and running, we need to specify an access token and modify the ReferencerId. The access token needs to have the “ListDataObjects” permission checked and we also strongly recommend to specify the product it should work with. The ReferencerId should be the Id of the product.

 var systemSettings = Data.ListDataObjects("access token", new ListDataObjectsModel
 {
     ReferencerType = DataObjectType.Product,
     ReferencerId = 3349,  // <- the product id
 });
 
 if(!Helpers.IsSuccessful(systemSettings) || systemSettings.DataObjects == null)
 {
     Console.WriteLine("Could not retrieve the settings.");
 }

 var settings = systemSettings.DataObjects.ToDictionary(x=> x.Name, x => x);

 if(settings.ContainsKey("DOTNET_RUNTIME"))
     Console.WriteLine(settings["DOTNET_RUNTIME"].StringValue);

What’s next?

In the future tutorials we will describe how you can store user specific information. In meantime, let us know if you have any questions 👍