Checking expiration date can be bypassed by changing system date

Question

I have a Swing application which is using oracle database. Whoever buys my application will be given a license which contains an expiration date. My application checks the current date against the expiration date to allow user to use it.

Problem is that the buyers can freely deploy my application on their machine with their own database. So, they can just change the system date to bypass my expiration check. If the source of my "current date" is from internet, I loose one ability that allows my application to work offline.

Do you guys know how to prevent it that still keeps my application to work offline?

Answer 1

No. There is no fool proof way in a closed, unknown, environment to do this. Even with a trusted system in place (like PHK's NTP server) you could easily subvert that (by rerouting to an NTP server that always returns the same time). The only thing you can reliably do, is track how much time your application has been running. Unless your application is intrinsically designed for handling time series. In which case you can probably assume those are accurate (otherwise, the tool is useless).

Answer 2

One thing you can do is store a log of the current dates for all the program executions in an internal configuration file. Define the first date is something close in time to the point where you deploy the application (like say, 25-February 2014 if you deployed today) since no client should be execution your code in a date before you deployed it. Then, you can analyze is something funny is going on with the dates (for example, if you notice the date is going backwards) and block execution accordingly. (Always give a bit of wiggle room in case the client is changing the time for valid reasons).