How to protect paid feature

[Ngoc Duc Huynh]

 Hi, I want to add features that need to paid, I will use storage API to set config value called isPaid, but user can open background page and open console then set the isPaid equal to true or they can edit my extension code and set isPaid always equal to true, how to avoid that? My extension need available on offline mode so checking paid online when open browser not suitable, thank you.

[Cuyler Stuwe]

Implement your functionality in the backend.

On Wed, Aug 25, 2021 at 9:05 AM Ngoc Duc Huynh <provan...@gmail.com> wrote:

 Hi, I want to add features that need to paid, I will use storage API to set config value called isPaid, but user can open background page and open console then set the isPaid equal to true or they can edit my extension code and set isPaid always equal to true, how to avoid that? My extension need available on offline mode so checking paid online when open browser not suitable, thank you.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2885da19-104c-495a-8676-cbc3c3e6620bn%40chromium.org.

[Ngoc Duc Huynh]

Sorry, I don't understand  Implement functionality in the backend must let say I have feature download image as a paid feature, so we fetch the downloadImg.js script and run or fetch some code as a string and using unsafe-eval to run that string code?

Vào lúc 05:10:10 UTC+8 ngày Thứ Năm, 26 tháng 8, 2021, salem...@gmail.com đã viết:

[Vishnu NUK]

 issue a token for every paid user 

authenticate  using the token when someone trying to access paid content.

You can revoke access remotely by invalidating token from your server itself. 

storing main logic on user machine is a bad idea. Anyone can modify it and download paid content for free.

[Ngoc Duc Huynh]

What if the user modifies the source code the part authenticate using the token? Can I prevent it? 

Vào lúc 10:15:13 UTC+8 ngày Thứ Năm, 26 tháng 8, 2021, narayanann...@gmail.com đã viết:

[Vishnu NUK]

You can do that from the server side.

You need to create token using email id or username of paid user.

And issue new token every 24 hours or 30 days.

If you feel like the username or token is published in reddit or shared in groups/forums  you can always disable that token from the server side. 

"What if the user modifies the source code the part authenticate using the token? Can I prevent it?"

Totally you can do that. but it depends on how good is your logic at server side. 

Even application like grammerly , netflix , amazon prime etc one account  being used by many people. Shared by creating whatsApp group etc. 

So nothing you can really do but you can make it hard that is it. 

Looking geo location of the paid user, limit number or active devices etc.

[Ngoc Duc Huynh]

My wonder is some users with have good knowledge about programming will be easily  reverse engineering the source code to bypass those, like cracked offline game, look like there is no way to prevent user edit the source code of the extension, is there any way to block execute storage API command like chrome.storage.sync.set in console.log? I check the extension  Checker Plus for Google Calendar™ using those storage API commands on console.log in their background page always return the promise.

Vào lúc 10:30:19 UTC+8 ngày Thứ Năm, 26 tháng 8, 2021, narayanann...@gmail.com đã viết:

[Glen Chiacchieri]

Hey! So as the Mozilla team explains, there is no payment system that is 100% secure against people who are very motivated to get paid access to your extension. After all, the extension's source code is available. If they really wanted to they could copy the source code and remove all the checks for paid access. You can hide functionality on a server somewhere (that removes the ability to see and manipulate the source code) but the code that runs in the extension itself (especially for manifest V3 which doesn't allow remote scripts to be executed) is available.

But there are ways to make it harder! For one, don't put the user's paid status in localStorage or chrome.storage. Users can much more easily change isPaid to true by inspecting the extension's stored data and changing it. Instead, give the user a token or cookie from your server and query if that token is paid or not. Again, this isn't 100% secure, but really, most users will not try to hack your extension and for the ones that do, making it a little difficult will deter most of them. You can also minimize your code which makes it harder to understand what's happening. Have you tried to read minimized extension code? I have and it's not easy, despite being a programmer for 12+ years.

Personally, I made ExtensionPay to take care of all of this since it's a hassle otherwise. It's an open source library and API that makes it easy to take payments in extensions and does all the important security things.