To achieve maximum security of Software License Protection Dongle, one must first understand the core protection concept of the chosen Dongle and plan ahead on how to utilize the provided security features into their protection before actual integration. Below are some useful tips and tricks on optimizing protection in Software License Protection Dongle.
Combining API and Envelope
Most Software License Protection Dongle will come with API (Application protocol interface such as DLLs and Object files), where there are various libraries files provided for software vendors to include protection function calls into their source codes. Envelope is whereby the software vendor can make use of the provided shell program to encrypt their application without the need to modify their source code. The best protection will be Envelope after completed the API protection, a combination of both.
As the best protection now might no longer be secure a few years later, it is very important that the software vendors keep updating their protection more often. The best practice is to change their protection strategy for different versions or products, and not use the same strategy once and for all.
Object vs DLL Links
In order to gain higher security, a software vendor should link their applications to the Software License Protection Dongle’s objects instead of DLLs. This is because link by objects will be compiled and integrated as part of the protected application of which will make simulating attacks more difficult.
Intelligent use of API Calls
A smart protection should include multiple API calls with different security function calls from various program points. Protection with more various different API calls will definitely be harder to trace than protection with few almost similar API calls. Try to make your API Calls more sophisticated.
Dummy API Calls
One simple way to make your protection even harder to hack is to include some dummy API Calls, i.e. some API or security checks that will not have any legitimate reaction. Such method will be able to confuse hackers who will need to spend more effort on analyzing such dummy API calls that they will never know this is not the “real” one.
Most software vendors practice direct reaction in their implementation, should the API calls found no dongle or invalid return, thus hackers are able to back trace the security checking points and then bypassing it. To make your protection even harder to back trace, perhaps you can delay some of your reactions to confuse the hackers, means if detected no dongle or invalid return, then keep a validity flag to suspend the program at a later point.
Many software vendors include standard response such as displaying error message and suspending program should there be no dongle found or invalid return. Another better way to make hacking harder is to alter the program functionalities, should the dongle not be found, such as disable printing report features until a valid dongle is attached. Hackers might not realize there is security check point that restricted the program functionalities.
Authenticate instead of compare
Direct comparing value is just too easy to understand, should the dongle product chosen provide possible features to allow software vendors to use it, to perform certain authentication such as Checksum after performing predefine security algorithms. Some dongle products provide more advanced security features such as onboard encryption, seed code or random code generation, onboard security algorithms, of which it will maximize protection if we utilize it in the right manner.