/

License Binding Detection

Protection Module: LicenseBinding

Validate application deployment across licensed devices and detect unauthorized installations through hardware fingerprinting and installation frequency monitoring.

Available for: Windows full, Linux partial, macOS partial, Mobile limited

How It Works

The License Binding Detection module validates that the application is running on authorized devices by monitoring hardware fingerprints and tracking installation frequency. It detects hardware changes, MAC address modifications, and excessive installations that indicate license violations or unauthorized redistribution.

Detection Techniques

Hardware Fingerprint Changes:

  • CPU cores, primary MAC, BIOS UUID, hostname → SHA-256 hash (0.85 confidence)
  • Detects hardware changes that indicate device replacement or spoofing

MAC Address Monitoring:

  • Tracks all network interface MACs hashed together
  • Detects removed/added network interfaces (0.7 confidence)
  • Identifies MAC spoofing attempts

Hostname Changes:

  • System hostname monitoring (0.6 confidence)
  • Detects device rebranding

Installation Frequency Tracking:

  • Count over 30-day rolling window
  • Default limit: 5 installations per month (0.8 confidence)
  • Prevents license abuse through frequent reinstalls

State Persistence:

  • Linux/macOS: ~/.bytehide_license_state
  • Windows: %LOCALAPPDATA%.bytehide_license_state
  • Permanent cache of installation and hardware data

Default detection interval: 1 minute

Configuration

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "LicenseBinding",
      "action": "erase",
      "intervalMs": 60000
    }
  ]
}

Kotlin Configuration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.LICENSE_BINDING,
        ActionType.ERASE,
        60000
    )
}

Java Configuration

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.LICENSE_BINDING,
        ActionType.ERASE,
        60000
    );
});

Custom Action Configuration

Kotlin
Monitor.configure { config ->
    config.registerCustomAction("my-license-action") { threat ->
        val threatType = threat.getThreatType()      // String
        val description = threat.getDescription()    // String
        val confidence = threat.getConfidence()      // Double (0.0-1.0)
        val metadata = threat.getMetadata()          // Map<String, Object>

        Log.e("License", "Detected: $threatType (Confidence: $confidence)")
    }

    config.addProtection(
        ProtectionModuleType.LICENSE_BINDING,
        "my-license-action",
        60000
    )
}

Available Actions

ActionBehaviorRecommended For
CloseTerminate application immediatelyProduction apps with critical IP
LogRecord incident and continueDevelopment, analytics
EraseSecurely delete data then terminateFinancial, healthcare apps
CustomExecute custom handlerEnterprise integrations
NoneDetect only, no actionTesting configurations
BlockBlock the operationNot applicable for this module

See Actions for detailed action documentation.

When to Use

Enable License Binding Detection when:

  • Protecting premium software licenses from unauthorized sharing
  • Preventing account takeover through device changes
  • Enforcing device-locked licensing models
  • Limiting installation frequency to prevent redistribution
  • Validating hardware consistency for license compliance
  • Monitoring for enterprise license violations

Code Examples

Kotlin - Basic Integration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class SecurityManager {
    fun initializeLicenseBinding() {
        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.LICENSE_BINDING,
                ActionType.ERASE,
                60000
            )
        }
    }
}

Kotlin - Hardware and Installation Monitoring

Kotlin
Monitor.configure { config ->
    config.registerCustomAction("monitor-license-binding") { threat ->
        val threatType = threat.getThreatType()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        when (threatType) {
            "hardware_fingerprint_mismatch" -> {
                Log.e("License", "Hardware fingerprint changed!")
                val expectedHash = metadata["expectedFingerprintHash"] as? String
                val actualHash = metadata["actualFingerprintHash"] as? String
                Log.d("Hashes", "Expected: $expectedHash, Actual: $actualHash")
            }
            "mac_address_changed" -> {
                Log.w("License", "Network MAC address changed (Confidence: $confidence)")
                val previousMacs = metadata["previousMacs"] as? String
                val currentMacs = metadata["currentMacs"] as? String
                Log.d("MACs", "Previous: $previousMacs, Current: $currentMacs")
            }
            "hostname_changed" -> {
                Log.w("License", "System hostname changed")
                val previousHostname = metadata["previousHostname"] as? String
                val currentHostname = metadata["currentHostname"] as? String
                Log.d("Hostnames", "Previous: $previousHostname, Current: $currentHostname")
            }
            "installation_frequency_exceeded" -> {
                Log.e("License", "Installation frequency limit exceeded!")
                val installCount = metadata["installCountThisMonth"] as? Number
                val limit = metadata["monthlyInstallationLimit"] as? Number
                Log.d("Installs", "Current: $installCount, Limit: $limit")
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.LICENSE_BINDING,
        "monitor-license-binding",
        60000
    )
}

Java - Basic Integration

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

public class SecurityManager {
    public void initializeLicenseBinding() {
        Monitor.configure(config -> {
            config.addProtection(
                ProtectionModuleType.LICENSE_BINDING,
                ActionType.ERASE,
                60000
            );
        });
    }
}

Platform Compatibility

PlatformStatusNotes
Windows 7+✓ Fully SupportedFull hardware fingerprinting and state persistence
Linux◐ PartialHardware monitoring with filesystem persistence
macOS 10.12+◐ PartialHardware monitoring with home directory persistence
Android 5.0+◐ LimitedBasic device identifier tracking
iOS 12+◐ LimitedIDFA-based tracking only

Performance Impact

  • CPU Impact: 1-2% increase during detection cycles
  • Memory Overhead: ~400 KB for hardware fingerprint data
  • Detection Latency: 100-200 ms per cycle
  • Disk I/O: Minimal state file updates (< 1 KB)

Threat Detection Details

JSON
{
  "detection": {
    "threatType": "hardware_fingerprint_mismatch",
    "timestamp": "2026-03-03T18:32:15.654Z",
    "description": "Device hardware fingerprint changed indicating potential device replacement",
    "confidence": 0.85,
    "metadata": {
      "detectionMethod": "hardware_fingerprint_analysis",
      "expectedFingerprintHash": "cpu8_mac00aabbccddee_uuid1234_hostpc1",
      "actualFingerprintHash": "cpu4_mac11223344eeff_uuid5678_hostpc2",
      "components": {
        "cpuCoresChanged": true,
        "macAddressChanged": true,
        "biosUuidChanged": true,
        "hostnameChanged": true
      }
    }
  }
}
JSON
{
  "detection": {
    "threatType": "mac_address_changed",
    "timestamp": "2026-03-03T18:33:42.321Z",
    "description": "Network interface MAC address hash changed",
    "confidence": 0.7,
    "metadata": {
      "detectionMethod": "mac_address_monitoring",
      "previousMacs": "hashed:a1b2c3d4e5f6",
      "currentMacs": "hashed:f6e5d4c3b2a1",
      "macAddressesRemoved": ["00:11:22:33:44:55"],
      "macAddressesAdded": ["ff:ee:dd:cc:bb:aa"]
    }
  }
}
JSON
{
  "detection": {
    "threatType": "installation_frequency_exceeded",
    "timestamp": "2026-03-03T18:34:58.789Z",
    "description": "Installation frequency limit exceeded in rolling 30-day window",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "installation_frequency_tracking",
      "installCountThisMonth": 7,
      "monthlyInstallationLimit": 5,
      "rollingWindowDays": 30,
      "exceedsLimitBy": 2,
      "recentInstallations": [
        "2026-03-01T10:15:00Z",
        "2026-03-02T14:20:00Z",
        "2026-03-02T16:30:00Z",
        "2026-03-03T09:45:00Z",
        "2026-03-03T18:34:00Z"
      ]
    }
  }
}
JSON
{
  "detection": {
    "threatType": "hostname_changed",
    "timestamp": "2026-03-03T18:36:10.456Z",
    "description": "System hostname changed from baseline",
    "confidence": 0.6,
    "metadata": {
      "detectionMethod": "hostname_monitoring",
      "previousHostname": "workstation-alpha",
      "currentHostname": "workstation-beta"
    }
  }
}

Tampering Detection

Jailbreak Detection

Emulator Detection

Virtual Machine Detection

Next Steps

Configure Actions

Custom Actions

Configuration API

Previous
Network Tampering
Next
Container Detection