linkClock Tampering
Protecting your application's licensing system from an end-user changing their local system time,
or "clock tampering", for an offline device can be a tough battle. As you could imagine, it's a
hard problem. Since the device is offline, there's not much one can do to prevent tampering or "spoofing"
the device itself to have its clock be in the past because whatever the device says is the time,
frankly, is the time.
There's no concept of a "correct" time for an offline device, since it can't sync to an NTP server
to get the real world time. What it has is correct, at least to the device itself, and as such,
it's correct for other uses as well, like licensing.
To properly defend against system clock tampering, you would need to periodically validate the license
using our API. We don't offer anti-clock-manipulation tools for offline use — that would need to be
handled outside of Keygen in your own application code.
In general, defending against system clock tampering is a tough problem — much like defending against
other types of cracking/tampering — because it’s relying on an "untrusted" value of the system —
the clock.
We've seen companies occasionally write an inconspicuous config or log file to disk and then periodically
check the file's created (and modified) timestamps to loosely keep track of the clock, updating the
modified at value each time the file is checked. If a timestamp for the file is ever in the future
more than a couple hours (to account for daylight savings time), then it may be safe to assume that
the clock has been tampered with. You can also do the same by writing a timestamp to a secure
system registry, for example.
Alternatively, a simpler solution would be to always ensure that the system clock is at least greater
than the license's created timestamp. Or even more simply: require your software be periodically
connected to the internet to fully revalidate via the API.
No offline-only solution will be 100% effective. When it comes to a licensing implementation, the only
thing you can fully "trust" is our API, which is verifiable using cryptographic signatures. Everything
else should be considered untrusted.
As such, the only way to know if a license is truly valid is to validate the key using our API,
because our API is the only trusted source for this information.