I have a Chrome extension that has a free and paid subscription mode. Subscriptions can be cancelled so cancellations need to be checked for periodically.
There’s no online/server component (besides a subscription checking server I control) which makes protecting the paid mode tricky. I only want “good enough” protection to deter people from hacking the app and I’m 100% aware it’s impossible to prevent piracy in these situations.
“Good enough” for me is (unless there’s something better): to hack the app into paid mode, the user would have to download the extension package, hack the code and load it as a developer extension, or mock network requests.
The current payment flow (which could be changed) is: 1) the user pays and is sent a license key to their email address 2) they enter their key and email into the extension 3) these are verified by a licensing server and paid mode is unlocked 4) the licensed state is cached to reduce load on the licensing server and prevent lock outs if the server goes down.
The weakest part in this chain is caching the license state (4). I’d need to store the license state for rechecking in something like localstorage which could be as simple as “paid = true” which is trivial to alter. What “good enough” thing can I do to prevent hacks here?
You can add an event listener to localstorage to undo edits. It seems you’d need a reference to the event listener to remove it that the attacker wouldn’t be able to get? When paid mode needs to be activated, the extension would have a reference to the event listener so could temporarily remove it.
If I store in localstorage that the license has to be rechecked or it’ll expire in e.g. 3 days time, the hacker would be forced to hack this value every 3 days via Developer Tools which is annoying but I’d rather they were forced to edit the code.
Again, just looking for “good enough”!