How to restrict Chrome Apps to only work on specific computers?

Question

I'm developing a POS Client using Chrome (packaged) Apps. It will run locally on the installed computers and interact with the server via web service. This app should only run on specific computers at the stores.

I know I can go to each store and install the .crx file in which case I don't have to publish the app to Chrome Web Store. However, I want it to be published to Chrome Web Store so that I can take advantage of its auto-updating feature.

What should I do to make sure that the app can only run at the stores' computers? (I can go the the stores and setup anything needed at the first installation).

Options I have thought of:

1. Create some secret key and enter it to the app at the first time of running.
2. Build a small tool (winforms application) to generate time-based tokens and install it on the computers. The staff will need to enter the token each time opening the app.

Any better idea how to accomplish this?

Answer 1

You said the app needs to talk to a web service to work. That's the key to a simple approach. (Assume you don't care whether the staff acquires a nonfunctional copy of the client app.)

• At startup, app checks for existence of a validation of some kind stored in chrome.storage.local. If it exists, startup continues.
• If the validation is missing, the app checks for existence of a GUID stored in chrome.storage.local.
• If the GUID is missing, generate and store one using something like window.crypto.getRandomValues().
• Ask the server for a validation by sending the GUID and getting a response.
• If a validation comes back, save it in chrome.storage.local and go back to the start of this sequence.
• Otherwise tell the user to get lost.

A full-strength version of this approach would have some additional features:

• Use an HMAC(GUID, secret) for the validation. I'm assuming the staff aren't tech superstars, so something simple like a boolean would probably suffice.
• Optionally add a per-launch step that sends up the GUID and validation and confirms it's still valid each time.
• When the validation is requested, you might prompt for the secret key you mentioned in your question. In normal cases this would be needed only at provisioning time.
• In case you haven't figured it out yet, the server is now acting like a simple licensing server, so it's up to you to decide how to decide whether the validation request succeeds. Maybe it allows only N validations to exist at once, or after you're done provisioning you hardcode future validations to fail. Maybe it limits validation requests to certain IP addresses. You get to choose.

That's the gist. It's a simple DRM system that is easier to manage than the enter-secret-at-installation method, but that won't withstand an attack of more than 30 minutes (since a smart attacker will just inject another machine's GUID and HMAC validation into the duplicate machine's chrome.storage.local).