Category: Software Licensing Best Practices

Be careful with sessions: Garmin Connect App example

It’s not uncommon nowadays to see people with a smartwatch, be it Apple Watch or another brand such as Garmin. I think there are many advantages of using one; to me, it’s about keeping track of exercises in the gym as well as other parameters such as stress and sleep.

Many smartwatches record a wide range of data points: puls, movement, altitude and location. This amounts to large amount of data, which can be used to infer various things about the individual. Therefore, it’s important to keep this data safe.

In this post, I would like to share the security issue in the Android version of the Garmin Connect app and list several tips on how this can prevented when you work with sessions in your projects.

Background

When developing an application that requires user authentication, most of the time one needs the state to persist so that users don’t need to enter the username or password each time they visit a new page. Sessions can help us to accomplish that. Using sessions is less secure than asking for credentials all the time, but it’s trade-off that most of us can accept.

The issue

Before we start: I have confirmed with Garmin that they have fixed the issue before publishing this post.

Early in April last year, I changed my password to Garmin Connect on their website. I was already logged in into the Android version of the Garmin Connect app with my old password and my expectation was that the app would ask me to re-authenticate at some point. But, it did not. I cannot tell how long the session would persist, but I could keep using the app for several weeks with the old session.

The problem with such a long session duration is that it gives users a false sense of security when they change their password. For example, imagine that the user had a weak password at some point and an adversary was able to login and obtain a new session. Even if the user would have changed the password later, an adversary would still have access to their health data.

If this problem would have occurred in, let’s say, the Neftlix app, I would not be as worried, but since Garmin Connect stores large amounts of health data, I felt like that the consequences of a potential breach could be huge.

Proposals

After filing this security concern to Garmin, I proposed the following changes:

  • Make sure that sessions are reset everywhere (especially in the android app) during a password reset (or at least offer the user the choice of selecting this option on the website)
  • Time-limit the sessions on the mobile devices
  • Enable two-factor auth for each account

Conclusion

To sum up, whenever you have to persist a state, make sure that sessions expire at some point and that users have the option to log out from all devices. It’s always a trade off between security and convenience, so when you decide the session length etc, you need to take into account the impact of a potential breach, etc. In some cases, you can require users to re-authenticate if the operation is highly sensitive.

Managing app settings in software licensing

When developing apps, you will likely need to store some metadata. This can either be specific to a certain user or be shared among all users.

Data objects offer an easy way of managing metadata either on the product, license key or machine code level. They are quite useful since it’s easy to change them as your application evolves and user-specific data will stay the same across all devices.

In this article, we will cover data objects associated with a product.

Editing metadata

To add or edit data objects on the product level, you can click on the Data Objects link as shown below:

On the next page, you can either add or edit existing data objects. The names are case-sensitive and duplicates are not allowed.

Retrieving metadata on app start

Let’s assume our application needs to obtain the currently supported DOTNET_RUNTIME (which we defined in the previous step). This can be accomplished with the code below (the project files are available here).

To get it up and running, we need to specify an access token and modify the ReferencerId. The access token needs to have the “ListDataObjects” permission checked and we also strongly recommend to specify the product it should work with. The ReferencerId should be the Id of the product.

 var systemSettings = Data.ListDataObjects("access token", new ListDataObjectsModel
 {
     ReferencerType = DataObjectType.Product,
     ReferencerId = 3349,  // <- the product id
 });
 
 if(!Helpers.IsSuccessful(systemSettings) || systemSettings.DataObjects == null)
 {
     Console.WriteLine("Could not retrieve the settings.");
 }

 var settings = systemSettings.DataObjects.ToDictionary(x=> x.Name, x => x);

 if(settings.ContainsKey("DOTNET_RUNTIME"))
     Console.WriteLine(settings["DOTNET_RUNTIME"].StringValue);

What’s next?

In the future tutorials we will describe how you can store user specific information. In meantime, let us know if you have any questions đź‘Ť

Autodesk Maya plugin software licensing

In the beginning of the year, we looked at licensing for Autodesk AutoCAD. Today, we are announcing support for another Autodesk product, Maya. Similar to AutoCAD, Maya allows you to develop plug-ins, and in this post we are going to cover how licensing works if you plan to sell them.

Adding software licensing library

Maya supports Python 2 for plugin development. To add license verification, only two things are necessary:

  1. Download and place cryptolens_python2.py into your plugin folder.
  2. Add the correct namespaces and the key verification logic, as described here.

If you want to read more about plug-in development in Maya, please check out this tutorial.

The next step is to sell your plugin, which we covered in the AutoCAD article. As always, let us know if you have any questions 🙂

Unity Software Licensing

Unity is a powerful cross-platform game engine. Since it uses C# as the scripting language, we can easily integrate it with Cryptolens client library. In this post, we explain how you can add license key verification into a Unity game and briefly cover payment integration.

Adding software licensing

  1. Download the binaries (please pick those without “System.Management”).
  2. Place these binaries into “Assets” folder.
  3. Add code from the key verification tutorial.

A sample Unity project can be found here.

Adding payments

Once licensing is in place, the next step is to add payment integration. Since Cryptolens is cloud-based, you can easily integrate it with your own billing system or use our existing integrations with popular platforms such as Stripe and PayPal. You can read more about how this can be accomplished here.

Please feel free to reach out should you have any questions!

Automating offline activations

Many times your customers may have either restricted internet access or no internet access at all. Although Cryptolens is a cloud-based licensing solution, you can still use it to protect offline devices. In this post, we cover three ways internet access can be restricted and how license key verification can be performed.

Periodic internet access

If your users are connected to the internet on a regular basis, we can cache the response from the “Activate” method each time we are able to contact the server. If, at some point, internet connection would not be present, we would fallback on a cached version of the license object.

When using this approach, it’s important to define how long time your users can be offline. There is a field called “SignDate” in the license key object, which is the time when the response was signed by the server (i.e. the last time you successfully called Activate). So, if you only want to allow your users to be offline for 30 days, you can compare the current date with the “SignDate”.

License server (re-routing)

If your users have certain devices that have no direct internet access, one option is to use a license server, which will re-route all requests through a server hosted by the user. Only the server has internet access.

There is currently a Windows version of the server, freely available on GitHub.

Air gap (no internet)

If the devices have no internet access at all, we can use a similar idea that was described in periodic internet access, with the only difference that we always fallback on the license file.

In Cryptolens, there are three ways you can create such a file:

In the dashboard

Next to each license key, there is a yellow button which can be used to create license files:

Using activation forms

Activation forms allow your customers to download activation files themselves.

Using the API

If you want to automate license file creation, you can either call the Activate method using one of our client APIs or call the Web API directly (eg. using curl).

Floating licenses in Java

Floating licenses makes it easier for your customers to switch between machines that actively run your software, without having to deactivate them first. For instance, you can constrain the number of concurrent users to 10, but still allow the software to be installed on eg. 100 computers.

In Cryptolens, floating licensing works by letting your app to regularly poll the server to check if the number of concurrent users has been exceeded, which can be accomplished with the code snippet below:

import io.cryptolens.methods.*;
import io.cryptolens.models.*;

public static void main(String args[]) {
    String RSAPubKey = "RSA Public Key";
    String auth = "Access token";

    LicenseKey license = Key.Activate(auth, RSAPubKey, new ActivateModel(3349, "MTMPW-VZERP-JZVNZ-SCPZM", Helpers.GetMachineCode(), 300, 1));
    if (license == null || !Helpers.IsOnRightMachine(license, true, true)) {
        System.out.println("The license does not work.");
    } else {
        System.out.println("The license is valid!");
        System.out.println("It will expire: " + license.Expires);
    }
}

Normally, if the app stops polling the server, that user will be automatically deactivated within the specified period of time. However, if you want to deactivate it instantly, you can use the code below:

import io.cryptolens.methods.*;
import io.cryptolens.models.*;

public static void main(String args[]) {
    String auth = "";

    boolean result = Key.Deactivate(auth, new DeactivateModel(3349, "MTMPW-VZERP-JZVNZ-SCPZM", Helpers.GetMachineCode(), true));
    if (result == true) {
        System.out.println("Deactivation successful.");
    } else {
        System.out.println("Deactivation failed.");
    }
}

To see all the required parameters, please check out the GitHub repo of the Java client. Should you have any questions, please feel free to reach out.

Protecting Rhinoceros plugins with software licensing

Rhinoceros® (aka Rhino 3D) is a powerful computer graphics and CAD application. It’s also quite extensible as it allows developers to create their own plug-ins and add-ons. The aim of this post is to give you quick way of getting started with software licensing in your application, with focus on .NET.

One way of developing Rhino 3D applications is using Visual Studio. To add a simple key verification mechanism, only three steps are necessary:

  1. Right click on your project in the Solution Explorer and click on Manage NuGet Packages.
  2. Search for Cryptolens.Licensing and install it.
  3. Add the code-snippet form this page in the code where the plugin loads for the first time.

You can know create a license key in the Cryptolens dashboard to test that the key verification code works. That should be it! If you would have any questions, please feel free to reach out.

License server for software licensing

One of the problems experienced by software vendors when selling to large customers is that some of their machines that will be running the software do not have direct internet access.

Although it is still possible to use offline activation, having an active connection to Cryptolens makes things much easier for both you as the software vendor and your customers.

To solve this, we can use a license server that will re-route all the license verification requests from the computers in the network to Cryptolens, as shown below:

If you have already implemented key verification in your application, the license server can be set up quite quickly in two steps:

  1. Install the license server as described here.
  2. In the Key.Activate method, add LicenseServerUrl parameter and set it to point to the license server (the IP and port of are shown in step 1).

Ways of protecting your private data – a short intro to cryptography

Encryption is important. Although intuitively you might say that you have nothing to hide, it’s important to ask yourself the following question: would you be willing to give your Facebook password to a stranger or publish it online? Probably not. Most people have something to hide and encryption is one way of safe-guarding your private information.

The focus of this article is on how to protect your data against physical compromise (symmetric encryption), when you send it to someone (asymmetric encryption) and when you would like it to be retrievable (secret sharing).

Your own data (symmetric encryption)

If you want to protect files that only you will be working with, symmetric encryption is quite useful. Symmetric encryption means there is only one key to encrypt and decrypt data.

By default, it’s a good idea to have full-disk encryption to make sure your files are inaccessible if the computer or phone is lost. If you have a USB stick, it’s also useful to encrypt the information on it as these tend to be lost more frequently.

Tech savvy: 

Nowadays, AES (Rijndael) is the one that is considered to be secure, so by default this is the way to go. The most common AES versions are with 128-bit keys and 256-bit keys. For most cases, 128-bit keys should be ok, but for extra paranoid users, you can both increase the key size and combine it with other encryption methods, such as AES-Twofish-Serpent (all of these are AES finalists).

If you leave your computer unattended, please make sure it’s turned off. Preferably you should let it be off in 10 min to avoid cold-boot attack.

Tools

  • BitLocker (built into Windows, mainly for full-disk encryption)
  • VeraCrypt (cross platform, full-disk encryption and encrypted containers)

Sharing data with others (asymmetric encryption)

Imagine you would like to allow everyone to contact you securely without having to agree on a secret key first (which is the case with symmetric encryption). This is where asymmetric encryption is useful. Instead of one secret key there are two: one to encrypt and one to decrypt.

There is a good analogy with real objects. To enable others to send you shipments securely, one way of accomplishing this would be to hand out unlocked padlocks with a box. If they want to send you something, they would lock the box with your padlock, ensuring that only you can open it.

Tech savvy:

The most common asymmetric encryption methods are RSA and Elliptic curves. There are some arguments which method is more secure. Both RSA and ECC base their security on mathematical problems that are hard to solve. Since we are better at factoring large numbers (which can help to break RSA) than we are at solving the elliptic curve discrete logarithm problem, RSA keys tend to be larger than those in ECC (2048 vs 256) to guarantee the same level of security.

There are also different kinds of ECC curves, ones proposed by NSA (NIST curves) and by independent researches, eg Curve25519 by Daniel J. Bernstein, and there are mixed opinions on which one to choose (an interesting article on the topic).

I tend to use either RSA 4096 or Curve25519 for ECC.

Tools

  • GnuPG (for email communication)
  • Signal (end-to-end encrypted messaging)

Splitting a secret (secret sharing)

In case something happens to you and you don’t want your encrypted data to be inaccessible, you can break up a password (eg to your personal files) into multiple pieces that you give to your close friends. All friends need to agree to retrieve the original secret.

Tech savvy:

Additive secret sharing (code snippet shown later) is the easiest to understand and implement but it requires all parties to be present to retrieve the secret. Shamir Secret sharing allows us to define how many shares will be necessary to get the secret.

The cool thing about secret sharing is that it’s unconditionally secure, meaning that we need all shares to retrieve the secret and we don’t gain more info with more shares. It also means that the modulus Q does not need to be large.

If it’s ok to require all parties to be present to get the secret key, you can use the code for additive secret sharing below. Your secret can be any number less than 2^512 (512 bits).

import secrets

Q = 2**512

def encrypt(x, no_shares = 3): 
    """
    Splits the secret up into 'no_shares' shares
    """
    shares = [secrets.randbelow(Q+1) for i in range(no_shares - 1)]
    shares.append((x - sum(shares)) % Q)
    return shares

def decrypt(shares):
    """
    Combine all shares to retrieve the secret
    """
    return sum(shares) % Q

Tools

SendOwl and DPD integrations with Software Licensing

On a mission to make software licensing more accessible, we have recently improved our Web API to make integrations with other services easier. For example, we have made it possible to return license keys as plain text, which many third party platforms require.

When selling software, there are two problems that need to be solved: payment processing and software licensing. Cryptolens core has always been the comprehensive licensing API. If you are using SendOwl or DPD, you can keep using them for payments and Cryptolens for software licensing.

If you have a new project, I would recommend to check out our new tutorial about built-in recurring payments and payment forms.