Protecting your precious code!

Whatever your reasons are, at some stage in your development career you may want to protect your code from reverse engineering. Whether it be to stop intellectual property theft, to supply a “try before you buy” option on your software, or to stop people modifying your code; there will likely come a time where your code needs to be protected. I’m sure we’ve all had that feeling where we’ve just written the most awesome code in the world and that it now holds a special place in our heart. Imagine if someone stole that code and passed it as their own… How would you feel? We’ll go over in a “series” of articles how to avoid this heart break!

As a .NET or Java developer, unfortunately code can be reverse engineered with much ease, as demonstrated by tools such as Reflector for .NET, or Jad for Java. Of course this can also be a fantastic feature of the language depending on your viewpoint! But this series is about code protection… so what are your options?

async-understand
An example of the detail present in a compiled .NET assembly

This article is intended to be an introduction to this “series”. Over the coming weeks, among other side topics (i.e. any MVC or C# tidbits I find!), I will cover:

  • A detailed overview of various protection techniques
  • How to bypass each technique (so you can identify with the relative difficulty)
  • A code example of how you can implement the technique yourself, without the use of commercial tools.
  • Whatever else seems appropriate amongst it all!

To demonstrate each method, rather than use existing commercial tools which cost a lot of money, I will write my own toolkit from scratch (which I’ll release and make available with an open source license).

Wait a minute… isn’t’ that an oxymoron?

You mean an open source product to protect your code? Well, no; I believe that the purpose of the resulting product is to:

  1. Teach readers the inner workings of the framework, through demonstration.
  2. Contribute back to the community – I’ve used fantastic open source products so many times that it is time for me to give back!

Chances are, I’ll never end up using this application as I am a SaaS developer (all my source code is on my own servers) but, I’m sure this tool will eventually be useful for SOMEONE that wants to increase their profit margin!

Code can be likened to a house…

We could potentially leave our house open for all to enter, and all to inspect. Some people aren’t interested in going into your house; they are quite happy just seeing it from the outside. Some people will walk through the house and perhaps see minor things that need fixing as they walk through (maybe even fixing it, or providing advice for a fix). Some people will go through, just to look, perhaps getting ideas for their own house. Others will go through and take bits of the house that aren’t theirs to take, move things around or generally take advantage of the house being left open. This kind of house, is like a program compiled in .NET without any code protection applied. It’s virtually open for anyone to do what they want!

Now, just like a house, it all depends on the neighbourhood it’s in as to how many people disrespect the courtesy. In some neighbourhoods, no-one will even bother going inside! In others people will see it open for all and then steal, or break as much of your trust as they can.

Over the weeks I will be using this metaphor to describe a number of different code protection techniques. Not all of the metaphors are perfect, but hopefully they help ease the concepts of each! Some of the things we’ll cover are:

  • Assembly Signing – similar to adding magnetic bar codes to each of your items. Everything can still be seen, but taking items out, replacing items, or putting items in can be “easily” detected.
  • Code Obfuscation – similar to hiding all your important things, and putting decoys in place. All with the purpose of making it harder to find the stuff you want!
  • Assembly Encryption – similar to locking the doors and windows. You still need a key to get in somewhere though!
  • Tamper Proofing – similar to having an alarm system in your house. When it’s turned on it finds out if something has happened out of the ordinary, but the alarm only works as well as it’s sensors!
  • The Law – well, of course we can rely on the law to help us sue or charge someone that’s broken in, but at what cost?
An example of an effectively obfuscated .NET assembly

So, we’ve got a few options to protect our code (which I will elaborate on in future articles)… so why don’t I use all of them? Well, technically you could. With your house, you could spend money on an alarm system, security guard, camera system etc etc. This will deter most people; however we can never assume it will deter all people. Why? Someone, somewhere, provided they had enough time (and determination or reason) will still try to break in, and eventually succeed! Therefore, you need to consider a few things before protecting your code, and to what level:

  1. Who are my target audience?
  2. Are my target audience likely to abuse my trust?
  3. How important/sensitive is my code?
  4. What are the consequences/costs of my code being stolen/broken?
  5. How much time/money can I invest in protection?

As you can see, there is a lot to consider before protecting your code! As with a lot of things, it is a matter of choosing the right tool or tools for the job.

In future articles I will take a deeper dive into each of the different areas, which will ultimately build a free suite of protection tools. Until next time; consider your target audience before spending too much on code protection! The circumstances, and target audience make a big difference to the tools you should choose.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s