0

I have to provide a Python CLI-based program to one of my clients. I will give him both the compiled version (using py2exe or something simillar) of the application and the source code.

The application structure is the following:

  • a cfg folder which holds some configuration files (the main .py parses these configs using configparser module and processes the data inside them
  • a log folder which will hold the logging files generated by the app
  • in / out folders which will be used for input / output files
  • a processed folder which will hold the input files that were used.

Now, the client will give the .exe version of the app to some clients and he wants to make sure that the only person that will use the app will be the one he has handled it to. Having said this, he asked for a way / hacky workaround of protecting the app in a way or another. He specified that he does not need a 100% way of protection (we all know that if there's a determined person in charge of this, he'll get around it anyways) but a decent one.

I know that Python, being a byte-code-compiled interpreted language, is very difficult to lock down. I'm not looking for a way to protect the code.I just need some kind of license key system embedded in my python code.

The question would be: how would you secure your Python CLI-based application?

Grajdeanu Alex
  • 498
  • 1
  • 6
  • 10
  • 1
    @gnat it doesn't seem a duplicate to me. I asked for a way of securing my app in terms of limiting the user to spread up the program and use it on their own behalf (a _hacky_ way of some hidden file or so) – Grajdeanu Alex Aug 04 '16 at 17:48
  • 1
    [top answer in the duplicate](http://programmers.stackexchange.com/a/10343/31260) explains that the way you want it won't work and what you really need instead. "If you want people to pay money for your product, copy protection is not the answer. It never has worked and never will. The answer lies in Economics 101: people will pay money for your product if..." etc – gnat Aug 04 '16 at 18:08
  • "limiting the user to spread up the program" sounds **very** much like "prevent piracy" to me. Clearly a dupe. This question or variants of it has been asked here and probably on SO several times. – Doc Brown Aug 05 '16 at 08:49
  • There is no software solution. Try something contractual. – Blrfl Aug 05 '16 at 14:23

1 Answers1

0

Here is a simple solution. It does not protect the code and can be easily hacked, but nevertheless it requires some effort from customers who are breaking bad).

Instead of getting a generic executable, a customer will receive an executable with an embedded unique password, The password should be supplied to the program as a command-line argument:

program.exe pseudocode:

USER_KEY_PLACEHOLDER = '0000000000000000' # e.g. 16 chars

password = get_cli_argument('-p')

h_password = hash(password)
if h_password != USER_KEY_PLACEHOLDER:
    raise InvalidPassword()

The signer program should be supplied to your customer. 

program_signer.exe pseudocode:

password = get_cli_agument_or_generate_random_string()
h_password = hash(password)

find_user_key_placeholder_in_program_exe()
embed_h_password_into_user_key_placeholder()

So, the whole supply chain goes as follows:

The customer has the program and the signer. Every time an end-user requests the program, the customer uses the signer as follows:

signed_program = signer(program, password)

A password - is a unique string, randomly generated for every user.

The end-user receives a signed_program and a personal unique password. The signed_program will start only if a correct password is supplied.

Zaur Nasibov
  • 292
  • 2
  • 13