保护Winform应用程序/ Sql数据库免受复制

Question

I am using c# (VS2010 FrameWork:v4.0) and SqlServer 2012 to build an application. I searched online to find ways to prevent copying this system and I thought the only part that needs to be protected from copying is the database.

I would like you to provide me with some advises about the issue. And I need answers/opinions about the following :

1. Do I need to protect also the application (executive file) from copying with the database? If yes, does this mean I have to provide the user with a new copy to install it if the user looses the application files?

2. One Idea I have in my mind to protect the DB is to save some passwords/keys in DB (in the form of varbinary ) and when the device is logged in (runs the app) the application checks for (the MAC address ) of the device if it is not saved then the app asks for a key. once the key is used, the device mac address is saved with the key. Is this a right thing to do? is there any advice about it?

3. If I need to protect the app part from copying, is there any idea how to do it?

4. I have also read about installing SQLExpress on client PC and That should protect the DB files from manipulation, so I have to provide a way to upgrade/ update DB scripts in the future rather than replacing client's DB with a new one. And I thought to provide a form in the app protected by a password, and I can write a script in a textbox in the form (__For Example: Alter Proc_ ...), and Save it. Can I do this? or would that be a stupid thing to do?

Thanks in advance

Answer 1

You cannot. Any claim to the contrary is snake oil.

The only way to protect your application is to offer it as a service, hosted on hosts you own/control.

To find a way to prevent user from using APP+DB without my permission(for example registering using keys)

It is possible to create licensing schemes where the application runs only on the designated hardware. Your application takes the host fingerprint (eg. net MAC), uploads it to a service you host, you sign the fingerprint with a private key and provide the signature to the application, then the application validates the fingerprint signature using the embedded public key and runs the application. While this sounds doable, there is a number of ways this can and often does go wrong. Users change the fingerprint frequently (eg. hardware update). Fingerprints are difficult to enforce on virtualized environments (VMs can edit their MAC). It is very difficult to harden application code against a moderate hacker willing to attack and bypass your protection, and basically impossible to harden it against a skilled hacker.

But you have also asked about the database and tagged the question sql-server . To that part I can only double down on my previous answer: It is impossible to protect a database against being accessed and/or modified by a on-site administrator, at will. There are secure ways to audit access and modifications to the database, so you can prove tampering and act accordingly (refuse support or charge extra). But you cannot prevent it.

Ultimately what you're asking for is DRM .