I am currently developing simple apps (in Actionsript 3 if that's relevant), and I wanted to build in a simple registration system, based on an XML file (which would be generated by a PHP script) which would enable my files to 'expire' after a certain date.
To me, this system looks right, but I would like the input of experts in case I missed something obvious - or I got it totally wrong.
Based on what I read on stackoverflow and other sites, I came up with the following XML structure:
<LICENSE>
<NAME>Joe Cool</NAME>
<COMPANY>Doggy Dogdog</COMPANY>
<APP>Flash Tester</APP>
<VERSION>1.02</VERSION>
<EXPIRES>01/10/2012</EXPIRES>
<SERIAL>e923b5e370cd3cb7ac72c1482d088bd7</SERIAL>
</LICENSE>
The < SERIAL> field is in fact a simple MD5 hash of all the items that make the license, with an added 'salt' (which is to remain secret) in order to prevent users from generating their own MD5 hash. The 'decrypted' license looks like this:
Joe Cool - Doggy Dogdog - Flash Tester - 1.02 - salt - 01/10/2012
When run, my app will load the XML data, add the 'salt' and compute an MD5 from this. It will then compare the generated MD5 hash to that stored in the XML. Non-matching hashed indicate tampering with the XML file. And the loaded date from XML can be compared to the current date to ensure that the app has not expired.
I am aware that MD5 is not that secure, etc but I am not protecting nuclear silos with this so I am willing to trade off security for speed and simplicity. I tried to reverse the MD5 obtained from the source string on several online MD5 reverse lookups and they all failed so far.
Finally, I am aware that I will have to store the 'salt' somewhere in the app, but I guess that anyone really determined to reverse-engineer it would break any system that I would put in place anyway, so I can live with the idea.
Would it not be trivial to simply change the computer clock to use this forever?
And as you mentioned it would also be quite easy to decompile the file, find the salt and generate an arbitrary license-file.
But any system like this is going to be a "security by obscurity" kind of deal, so unless you want to store your logic on the server side, this is pretty much as secure as it's going to get :)
EDIT: I think another way to break the validation, if this is a .swf-file, would be to load it into another swf file that has the md5-class you use in it already, but modified so it always returns a known value (say "1") and then change the license key in the xml to match this.