Sale of licenses (license key) for Air apps

How (what services use) to better organize the protection, payments, sending license keys for shareware Air applications?

I'm the owner of the company that makes LimeLM . We have a fully written example showing how to add licensing to Adobe AIR apps. LimeLM handles all the details for you. Plus you can use our web API to integrate the key generation into your website order process. We have full examples for PHP and ASP.NET so you don't have to write it all yourself.

Our type of licensing is hardware locked licensing. In other words LimeLM is a lot like Windows activation or Microsoft Office activation. You send a user the product key they enter it in your app, then you call an "Activate" function that sends the product key data along with a "fingerprint" of the computer. LimeLM then sends a cryptographically signed verification back to the user's computer. This "activation" locks the product key to the computer. That is, a user can't go use the product key on 50 other computers.

Of course you can make it easy for the user to move your product from one computer to another using "deactivation", but the point is the hardware-locked licensing (aka online activation) gives you complete control over the entire licensing process.

Do it yourself

If you have more time than money you can always develop this yourself. Obviously I would prefer you just signed up for LimeLM (we even have a free plan), but I also know when you're just starting every penny counts. Plus, some of our biggest customers are companies (and individuals) who went down the "build it in-house" path and are glad to hand off the responsibility to us.

There's a huge amount of work that goes into making a licensing product, but the grand overview of hardware-locked licensing is this:

• Create a native library (aka a *.dll on Windows, *.dylib on Mac, *.so on Linux) that can create a unique hardware fingerprint based on all the components of the computer (motherboard, CPU serial, graphics card, memory serials, etc, etc.).
• This library should also be able to verify product keys created using Symmetric-key cryptography (e.g. AES ).
• Use Public-key cryptography on your servers to cryptographically sign the product key and hardware fingerprint. This "signed" response is then sent back to the user. Then you can check if the user is "activated" or not if the signed message is verified (this time you're using the other end of public-key cryptography).

The great thing about Symmetric-key cryptography is that it creates small keys (e.g. ABCDE-FGHIJ-KLMNO-XXXXX) and the Public-key cryptography for all intents and purposes cannot be forged. Using the in tandem will ensure that your licensing design isn't the weak point in your protection.

Hackers, crackers, and thieves

You didn't ask about cracking, but I might as well bring it up. Nothing that exists on a computer is uncrackable. That being said, casual piracy (that is, a person or company using the same product key over and over again) is a greater threat to your business than crackers. So you should always use hardware-locked licensing (like LimeLM or the "do-it-yourself" method described above) rather than just simple "serial" protection.

The way you handle crackers is to find all pirated versions of your software on the web and send DMCA notices. A very high percentage (> 90%) of these hosting sites remove illegal files based on DMCA requests. But it's a whack-a-mole proposition. That is, when you get 20 sites to remove your files, 20 more pop up the next week.

We've thought about this problem too, which is why we created Pirate Poacher. This is a service we offer (free for LimeLM customers) that handles the tracking & removing of pirated versions of your software for you.

Tell me if this helps.