Written by:
Viktoria Paschenko,
Junior Tester of Apriorit Inc.
http://www.apriorit.com

The licensing mechanism is very important part of the commercial product. Proper testing of it prevent the unauthorized utilizing of your intellectual property.

This article includes brief description of the software licensing types and tools accompanied by the notes about  what things are worth paying more attention.

What  is licensing and what is it for?

Software just like other  objects of the intellectual property, such as music and literature works, is  protected from the unauthorized copying by the laws about the author’s rights. These  laws suppose that the software publisher keeps some exclusive rights, one of  them is the right to produce software copies.

Buying  the software user actually buys the license that gives him a right to use this software.  The terms and conditions of utilizing the software (for example, the  possibility to move it to the other PC, use previous versions) are fixed in the  agreement, which accompanies the software delivery. The most widespread is EULA  - End User License Agreement. EULA is the contract between a user and the software  publisher, which describes the possible ways of software utilizing and also  limitations for it.

The  Agreement can:

 
• Describe what changes user  can perform on the product
 
• Limit the user right of  copying the product
 
• Allow user to transfer  the product or install it to the portable PC
 
• Indicate if a user can  update the product
 
• Provide a user with the  special rights of the network utilizing of the product.

Usually EULA is  provided in the digital form and is shown on the first start of the product.  User should agree to its terms before the product installation.

  Buying  a license a user in fact gets the additional services from the publisher such  as free technical support, updates and others.

  All licenses are divided into two big groups: free software  and proprietary software. There are also different types depending on the  number of licensed copies (individual, volume, enterprise licenses etc.),  additional services volume (standard, ultimate etc.), the type of the object  the license is applied to (per user, per machine, per server etc.).

Software protection tools

  Methods of the software protection can be divided  into software-based and hardware-based. Software-based methods don’t consider  the physical properties of the data storages, special hardware etc.  Hardware-based methods use specific hardware (e.g. electronic keys connected to  the computer ports) or physical peculiarities of the data storages (CDs, floppy  disks) to identify the original software version and protect the product from  the illegal utilizing.

  Electronic key (hardware key, dongle) is the hardware  tool intended for software protection from copying, illegal usage and  unauthorized distribution.

  Generally  hardware key is a microchip or microcontroller that has unique algorithms of  functioning. The keys are often plugged via USB or LPT interfaces.

  Key is plugged to the certain computer interface.  Then the protected program sends data to it by means of the special driver.  This data is processed in accordance with the specified algorithm and returned back.  If the key response is correct then the program continues working, otherwise it  can perform any actions implemented by the developers – for example, turn to  the demonstration mode, block the access to some features.

  To provide the security of the network software special  digital keys are used. It’s enough to use just one key for protection and licensing  of the network product (limitation of the number of the program copies, which  are working in the network). This key is installed on any workstation or  network server.

  Serial number or  license key .  Usually it is the text string (but can be a file) with  the specific structure. This key is provided to the customer together with the program  version (for example in the box package) or separately. Then, just after the installation,  the program asks user to enter the key (or provide the path to the key file)  and checks the authenticity of the key by the certain criteria. 

  Subject to the check method we can name the  following license key types:

  Standard  key/serial number. In this case program  checks the key provided by a user using several conditions, for example: the  key should include 25 symbols, 12 of them should be the numbers and 13 should  be the letters, number sum should be equal to 60 and the sum of the numeric  equivalents for the letters should be equal to 100. If this approach is used per  se (without some additional security actions like activation via Internet) then  the key can be used for installing the program to the other computers.

  Key with the reference  to the serial numbers of the computer hardware components.  As a rule, vendor uses the mechanism when a user fills the survey at the vendor’s  site and sends to the same site the specific computer identifier (hardware id).  Using this hardware id the key is generated. Usually the key contains encrypted  information about the user, product, number of licenses etc.

  If a user upgrades his computer, the protection fails.  The authors of the many programs protected by hardware reference are ready to  provide a user with the new key. Besides the hardware id vendor can also use  serial number of the hard drive, MAC address of the netcard, BIOS control sum  and other system properties.

  Activation via  Internet. Here the unique product serial number  is used. When a user installs an application, it asks to enter serial number  and then establish Internet connection with the vendor’s system to check if the  provided serial number is listed in the actual numbers.

  License server. It is the specialized  server application or hardware-software complex that enable to centralize license  management. If there is big loading then a separated physical server can be  provided for the license server. License server stores all licenses bought for  the specified number of the product copies and provides a license to the each  program start.

Licensing check-list and  testing guidelines

When you start the work on the licensing test you  should first of all determine what scheme you have, i.e. what protection tools  are used and what are their combinations.

  Let’s consider the simplest most widespread  licensing schemes: with text key, with key file and with hardware key. More complicated  schemes are the partial intersection of the following sets or are specific for  the each individual product.

  Text key

  The trial period is often present in this scheme. We’ll  consider the check-list with it as it’s more complicated – for the scheme  without trial period some tests will be simply omitted.

  It’s recommended to check:

  -  the limitations of the application functionality (if there is such during the trial  period) and correspondingly the availability of the full functionality after  the successful licensing.

  - the possibility of licensing during the trial period

  - application response to the input of the incorrect  registration data (if the key consists of the several fields then you should  make the separate test for the each of them):

  а. Key is corrupted

  b. Key is absent

  c. Key  is typed in the wrong case

  d. Key  contains the extra symbols at the end and/or at the beginning

  - application response to the input of the correct registration data

  - application response to the input of the registration  data provided for the previous versions of the tested application

  - unlicensed application behavior after it has been  reinstalled during the trial period

  - application behavior after the trial period is  over

  - unlicensed application behavior after it has been  reinstalled after the trial period is over

  - application response to the system time change forward/backward  (the most important here is to keep the trial period correct). Take into account  that the system time change should be performed in BIOS because the one performed  in the operating system does not have much effect.

  - the possibility to register application after the  trial period is over.

  - application behavior after the registration data has  been deleted, for example from the registry (usually after registration the  deletion of these data is disabled).

  - licensed application behavior after it was reinstalled.

Key file

  Here you should pay attention on the aspects:

  - Using a file with the correct name  but with incorrect content and vice versa.

  - Starting application after the  file was deleted.

  - Saving the file while the  application is being reinstalled.

  - Application behavior after the  file has been replaced:

  a. correct -> incorrect,

  b. correct -> correct,

  c. incorrect -> correct,

  d. incorrect -> incorrect.

Hardware key

  We  should check:

  - Application functioning with no special  software for hardware key installed. 

  - Application functioning without  hardware key.

  - Unplugging hardware key while the application  is running (here we should take into account 2 situations: application has some  process run and application is in the standby mode):

  a. Permissible waiting time for the  key plugging.

  b. Correct application behavior after  the unplugged key is returned.

  с.  Correct application behavior if the waiting time is over and the key was not  plugged.

  - Application functioning if there are  some other devices akin to the hardware key plugged (for example, if the key is  USB device then it’s good to check its functioning together with flash drive).

General aspects

  Frequently  it’s required to perform countdown not only of the trial time but also of the program  starts during the trial period. Here it’s important to control that after the  number of starting attempts is over the trial period is finished too regardless  of the actual number of trial days left.

  Most  software products put the information regarding the registration to the About form  (usually called by the About menu item). We should check if this information is  present and is correct for any licensing scheme in every state.

  If HardwareID is used in the registration process it  makes sense to try to propose the HardwareID of the other computer.

Conclusion

  Testing licensing you should not forget to check  some main things:

 
• correct finishing of the  trial period (if it is present);
 
• user cannot use a  program after trial period is over without licensing;
 
• limitations of  functionality in demo-version;
 
• user cannot renew the  trial period using the system time changing or program reinstallation;
 
• user cannot license a  program with incorrect data.

The correct work of licensing is a guarantee of the  proper protection of your product. Don’t spare resources to protect your program  from the unauthorized utilizing.

  You should remember that especially for this type of  testing it’s not enough just to check the correct functioning of the licensing  mechanism. Tester should think as a user and try to hack the existent  protection by any means. Only such approach gives some confidence in the licensing  reliability.

  Let your products be of high quality!