Protect Software with Hardware
Volume Number: 14
Issue Number: 8
Column Tag: Developer Tools
Protect Your Software with Hardware:
Adding Software Protection Systems to Your
Programs
by by Steve and Patricia Sheets
Hardware to protect your software
Software Piracy is a fact of life for Macintosh developers. For popular programs in the
US, there are more illegal copies created than legal ones. The numbers are even worse
internationally, where over 90% of software is pirated. The original method to combat
this piracy was software copy protection. This has become a thing of the past. Modern
users expect to be able to make archive copies of all software, while modern pirates
can easily break any software based disk scheme. For most software companies,
anti-piracy planning involves working with organizations like the Software
Publishers Association and the Justice Department to stop institutionalized piracy.
After that point, the losses are considered to be part of "doing business".
While piracy of the more main stream products is painful, when more expensive
vertical applications (ones intended for small markets) are copied, it can break a
small company. A developer that only expects to sell 500 copies of his program needs
to do all he can to make sure no one steals even one customer. To combat theft, several
manufactures have been creating hardware based anti-piracy solutions for these
software developers. These hardware devices, commonly called "dongles", are required
for the software to run correctly. While a pirate (or legitimate user) can easily make
copies of the software product, he can not easily duplicate the accompanying hardware
device. For the cost of the "dongle" (between $20 to $40 depending on features and
quantities), a software developer has taken a major step to protect his valuable
software package.
This article explains the ideas and advantages of using a hardware "dongle", as well as
the effectiveness of these products. Other less know uses of "dongles" will be explained.
Three of the main manufacturers of Macintosh "dongles", Aladdin Knowledge System,
Rainbow Technologies and Micro Macro Technologies will be discussed. Each product
features and APIs will be explained.
Apple Desktop Bus to the Rescue
In the Macintosh world, the preferred "dongle" type is an ADB device (Apple Desktop
Bus). These 4-6 inch devices plug into the normal desktop bus chain of the Mac. The
devices universally look like short cables with a fat connector on one end. Unlike
similar PC devices that plug into a parallel or serial port, there is no conflict with the
normal operation of the port. The Mac "dongles" do not monopolize a port, and the
logical limit of 16 ADB devices usually is not a factor. There is an additional physical
limit of how many "dongles" can be used at once, because the devices use the power of
the ADB. The number of usable "dongles" is dependent on the keyboard, mouse and
cables being used, but a developer can safely assume at least five "dongles" will
function on one computer.
Since the "dongle" is an ADB device, it needs to be connected at boot time to function
correctly. When the application runs, it communicates with the device to insure that
the user is legitimate. This communication is secured, and nearly impossible to break.
Developer places calls inside their program to make this communication. It is a good
idea not to just query the "dongle" one time at startup, but to actually do the checking
at various locations in the program. This way the user can not trick the program by
detaching the "dongle", after the program has started, to be used on another machine.
On the other hand, do not call the "dongle" every time through the main event loop. The
"dongle" APIs are fast, but not that fast. A good rule of thumb is to put the call before
any IO portion of the program (Open File, Save File, Print), or at any time where
different functions are invoked (spreadsheet mode vs. word processor). The more
locations that call the API, the harder it is for software pirates to reverse engineer
and modify the program to not use the "dongle". Some programmers notice that these
are same locations they would normally modify when creating "crippled" shareware
versions of the software vs. registered copies. Yes, the same ideas apply.
How effective is a "dongle"? If a software developer is looking for a perfect software
piracy scheme, he will not find it here, and may never find it anywhere. The original
software can be reversed engineered, and jump commands could be placed over the
machine code that calls the various "dongle" APIs. While difficult to do the various
algorithms built into the device, even the hardware itself could be reversed engineered
and someone could design "pirate dongles". Either way, it would take a considerable
investment of time and money for the pirate to crack the product. For most casual
pirates, the protection provided by the "dongle" is fairly absolute. The user needs to
have the device to run his program. The professional pirates would definitely steer
away from the expense of duplicating "dongled" software. Mass pirating of the
developers software would be dramatically decrease.
"Dongle" Feature Set
The three makers of "dongles" in this article use different methods to verify that the
user is the correct one. However, all of them have common features and designs. When
the developer purchases his "dongles" to be bundled with his software, he is given a
single ID that uniquely identifies him. All the "dongles" he purchases will have this ID,
as well as a unique ID for the given device. When the user's program is running, calls
added to the program interrogate the ADB device, and look for these IDs. Generally, the
Developer ID is all that is used to verify that the software has the correct "dongle' to
run, but the programmer is not limited to this. A program can be written to use the
device id to uniquely identify the program when accessing the Internet. It could be
included when emailing registration information to the developer. For an in-house
developer, the software itself could be recompiled any number of times, so each rev of
the software requires one and only one unique "dongle" to function.
Several of the "dongles" provide more than just developer/device ID. Some provide
temporary and permanent memory storage. The temporary storage is RAM on the
device that the programmer can access. He can store any data he wished onto the RAM.
No matter what the user does (quit the application, trash the System preference folder
or delete the software application), this value will remain there until it is modified or
the user shuts down the machine. The RAM might be used by different applications
from the same developer as shared memory.
The permanent memory storage (often called Registers) of the "dongles" last even if
the user disconnects the device from the computer. This is often implemented using
ASIC (Application Specific Integrated Circuit). In fact, these Registers can be preset
from the developer to a given value. The makers of the devices provide the developer
with utility programs that allow them to modify these Registers before they ship them
to their customers. Once in the users hands, the Registers can function as Read Only
memory or Read/Write memory. For example, the applications serial number could be
stored into a Register.