In AIR 3.0, Adobe released a new feature called Native Extensions. Native extensions are a special .ANE file you include in your AIR project that contains both ActionScript and .DLL/.framework code. At NitroLM, we’ve been waiting for a feature like this for a number of years. Our current C/C++ client library is our most secure and preferred method of talking to our license servers. This Native Extension functionality from Adobe has allowed us to make Adobe AIR a first-class citizen of our ecosystem along with Java, .NET, and C/C++ applications.
While the primary focus of our ANE is on delivering a world-class software licensing and payment solution, we recognize that some people may already have an existing system in place. For those people, we offer black-box encryption capabilities that don’t require our licensing server. You can encrypt your .swf modules using our proprietary algorithms and decrypt and load safely inside native code at runtime. Decrypted module bytes are never exposed to the player where an attacker can get at them. The black-box encryption capabilities will be provided as a $100/year/developer license.
Watch this sneak peek video for an example of our fully-licensed encryption/decryption capabilities.
Every once in awhile, we talk to people who discover a cryptography library in their chosen language and think this is their magic answer to gain code “security”. They’ll go about using block ciphers on important data without really understanding their purpose.
Like any good business, we like to keep an eye on what our competitors are doing in the security space. Yesterday, a new one showed up on the internet and I was asked to take a look at it by our marketing team. My internal reviews of competitor products help our marketing team compare and contrast our products and approaches to security. They’re often asked pointed questions by potential customers and they like to be prepared with accurate answers. Often, we don’t occupy the same segment of the market or have a completely different approach to solving security problems. Sometimes, reviewing a competitors product shows some gap in our own features or functionality. In this sense, we improve, our competitors improve, and the customer wins. This is largely what good capitalism is all about.
However, yesterday, I was utterly disgusted by the product I reviewed. Their library could be completely decompiled. Their algorithms for communicating with the server were plainly visible. Their license was simple XML block that was encrypted using a simple block cipher. All communication was done over http and the encryption key was the exact same key used to validate a product. In order to validate a product, you were sending the key over an HTTP GET request completely in the clear.
This really highlights the problem with Encryption. Too many people view it as a black box and think it will magically increase security. Employed in the wrong way, it does no such thing. If you don’t protect your keys…If you send secret information in the clear across http…If you don’t protect the source code handling all of your magic algorithms, you’re asking for problems. You’re usually no better off using a simple caesar’s cipher than an encryption algorithm.
In Nitro-LM, we make sure we protect our communication library with either native code, or internal code-hiding algorithms that defeat decompilers. We communicate over http, but encrypt all traffic using RSA public-private keys to ensure that ONLY the receiver can read the data. Underneath that top-level of security, our license and all of our license data is encrypted between 5-10 times with randomized algorithms, keys, and proprietary key-hiding techniques. We instruct our customers on proper key-hiding techniques and how to communicate in a secure fashion with our servers. By utilizing data contained in the license, they can further protect themselves from someone being able to operate their software in a hacked manner.
Encryption in itself is not a silver bullet. Encryption plus knowledge and proper key protection can be a winning combination.
Roughly a year ago we announced a hosted encryption service called Nitro-LM “Lite” at the 360|Flex Conference in Indianapolis, IN. Nitro-LM “Lite” was designed to provide a cost effective solution for asymmetric encryption of Flex/AIR applications without the need for a full License Client interface to be implemented in their application. It was designed to be an inexpensive service ($500/year for unliminted client users), very easy to implement, and seamless process for delivery while remaining unintrusive for their end-users (customers).
Unfortunately, the demand for the service has not exceeded the costs for managing it. As a result, we have decided to maintain the service until December 31, 2010, after which the service will be disabled. We are making this announcement now so that existing customers using the service have enough time to prepare for a migration to an alternative Nitro-LM hosted service offering, or to find/create alternative method to address their security needs for Flex/AIR.
Note: The discontinuation of Nitro-LM “Lite” does not mean that our support for Adobe Flex/AIR is being dropped from Nitro-LM. Nitro-LM can still be used for Adobe Flex/AIR Applications via our FREE, Standard and Enterprise Licensing Service Options.
In the latest release of Nitro-LM Administrator (6.0.0025), we’ve added custom SMTP server support. Â This allows you to brand the license experience and send e-mails through your own servers instead of e-mails appearing to come from @nitromation.com. Â In this post, I’ll walk you through using a gmail account to brand your license experience.
The first step is to create a gmail account. Â This can be either a free gmail account or a corporate gmail account. Â If it’s the free version, e-mail headers will still contain something about being sent via gmail when your users read them. Â However, not all e-mail readers display this information by default. Â In our example here, we’ll be using a free gmail account.
After creating a gmail account (in this example, firstname.lastname@example.org), I next setup the e-mail I want to send as on my hosting provider. Â If you’re using corporate gmail, you can skip this step because your hosting provider for e-mail IS gmail. Â This will ensure that any replies to e-mails sent out by nitro-lm get back into my gmail account.
After setting up this forward, I need to allow my gmail account to send messages as support @ swiftgps.com. Â This new send-as ability can be set up in the Settings area of the gmail account.
If you have an SMTP server that can be accessed from the Internet and know all of its settings and configuration, you might try the second option. Â Otherwise, just choose Send through Gmail.
After you verify that you’re allowed to send mail through the other account, go ahead and set it as the default e-mail account.
Finally, in Nitro-LM Administrator, set up the e-mail settings for this gmail account under the Email Templates menu option. Â For gmail, make sure you turn on TLS encryption and use either port 465, or 587. Â Finally, send a test e-mail to ensure that everything is set up properly. Â Make sure you receive this e-mail before saving your SMTP settings.
And there you have it. Â Now whenever e-mails are sent from Nitro-LM, they will appear to be coming from support @ swiftgps.com. Â Another advantage of this approach is that when users register for your software and mistype their e-mail addresses, the bounce messages will show up in this gmail account so you can assist users with the registration process.
We’ve often said that licensing is one of the first experiences your customers will have of your software. Â You want to make sure that the licensing experience is seamless, painless, and leaves a good impression. Â You also want to ensure that you control the branding of your software from start to finish and that includes licensing.
What will the user’s experience be if they register for your software and have to confirm their account by clicking a link in an e-mail that came from some third-party company? Â They don’t know that company, they didn’t sign up to do business with that company, they just want to use YOUR software.
In Nitro-LM, we have a feature called E-mail templates. Â This allows you to customize the e-mails received by your users from the licensing system so that they can be branded with your logos and communicate as you see fit. Â With the upcoming release of the Admin tool, we’ve added some additional functionality and made these templates very easy to customize.
The new menu option is called Email Templates and launches a new screen to allow you to customize and edit templates for your company.
You can edit the HTML email templates and drag/drop variables so they can be inserted into the outgoing message by the server. Â The other major new feature we’ve added allows you to specify your own custom SMTP server so that any e-mails sent out by Nitro-LM are truly coming from your company to your end users.
The Preview tab allows you to see what the e-mails you send out will look like. Â This new email template functionality allows you to take the branding experience for licensing to the next level.
Nitro-LM’s Administrative GUI has been the primary interface for common administrative functions such as creating new customers, associating products/licenses to customers, moving and setting license variables, etc… While the existing Administrative GUI is very easy to use and provides a great administrative experience, many software developers need the ability to automate Nitro-LM’s administrative functions within their own business process(es).
Shopping Carts and More…
Today, software developers are looking for ways to reduce internal complexity while streamlining their customer purchase and licensing experiences. Â This is most evident for those those who are selling software online via a shopping cart style of store, delivering software as a service, or want to have a deeper integration with existing CRM (Customer Relationship Management) and ERP (Enterprise Resource Management) systems. Â Fundamentally, they need to have a customizable, and seamless, process for license fulfillment triggered by an order receipt or payment event.
The Nitro-LM SOAP API can be integrated with any development platform or shopping cart implementation that allows for customizing the order process. This reduces back end complexity while improving customer satisfaction and service.
Remote Creation, Management and Control…
With the Nitro-LM SOAP API software development companies can automate new purchases, renewals, and account maintenance of existing purchases with ease. Â Here are a few of the capabilities:
- New User Registration
- New User Confirmation
- New Customer Creation
- Create/Manage Customer License Pools
- Create/Manage Customer/Product/License Associations
- Create/Manage Customer/Variable Associations (software feature level controls and reporting)
- Reset Customer/End-User Passwords
- Retrieve Paid-To Reports (internal review and/or customer account review purposes)
- and much more…
Nitro-LM’s SOAP API enables Software Developers to easily present a consistent corporate view of your online store and customer self-service account/licensing interface without the overhead of developing internally redundant systems.
More information about this exciting new development can be found in the Nitro-LM SOAP API documentation.
A lot has been happening with the Nitro-LM team lately. We’ve been working hard to bring you new communication mechanisms and API interfaces as well as updating some of our example code.
New Google Group – We’ve launched a new Nitro-LM Google group to aid in support. This group helps us answer questions in a more transparent manner. It also saves us the trouble of having to answer common questions 50 times via e-mail.
Updated Demo for Nitro-LM Standard/Enterprise – We’ve updated the demo application to include some features such as forgotten password resets, password changes, and manual decryption of assets. Visit the Google group to find download links for this.
Administrator SOAP API – Currently, administrative tasks such as creating new companies, license pools, and moving licenses around requires that you use our Admin tool AIR app for Nitro-LM. While this works well for most situations, we realize that for some operating in an e-commerce environment, they need to automate many of these processes so that their customers can be ready to get a license immediately after payment. We’re about 1 month away from delivering this SOAP API to all Nitro-LM customers and trial users.
Where would you like to see us go next?
View the short screencast above gives an overview of what Library Keys are and how they are used and setup in Nitro-LM.
After the firestorm of web traffic we got from the previous post on How to Hack an AIR App SWF, I thought I’d pass this link on to our readers. David Wolever has done a bit of SWC file hacking to modify a private method to make it protected.
Even though this hack is an extremely useful and a very “white-hat” endeavor, it does highlight what’s possible when working with open file formats and virtual runtime environments like the Flash Player.
Disclaimer – Simplified Logic respects intellectual property rights and in no way supports using hacked or cracked software. What follows is simply an educational exercise with the intent of highlighting the security dangers of releasing unprotected software in virtual machine environments such as the Adobe Flash Player.
It’s fairly common for me to see comments on blogs and forums playing down the security risk from decompiling software. They say things like “Source code isn’t intellectual property”, or “Nothing is 100% secure, so why bother with protection?”. While it’s true that in virtual machine environments NOTHING is 100% secure, there can be great value in taking some measures to protect your software. Many company’s approaches to software security are akin to the Jeff Foxworthy comedy bit about putting the house keys under the mat with a sign on the front door saying “The key is under the mat…” Your only hope is a blind burglar (listen at 20:25 into the clip).