How is major software protected?

Question

I am a new software developer and I wish to sell my software. I recently realized that from C++ code we can not stop the user seeing parts of the code that are related to scripts or system commands.

Would you make some comments on how software written in C++/JAVA (distributed via CD-ROMs or available via download) is protected from reverse engineering, scanners for when the code is in memory and direct copy of parts (as system commands).

What a small software company which just starts producing software should do to protect its product from the technological point of view (it should not be able to pay legal fees …)?

It all depends on what you're selling & who you're selling it to. — Sean McSomething, Dec 11 '13 at 23:24
Is any software protected? Software giants like MS, Adobe, etc, do everything they can to protect their software, however their software is the most pirated out there. That doesnt mean you shouldnt take some steps, but dont expect 100% lockdown. — Keltari, Dec 12 '13 at 02:02
The primary protection on the software of major corporations is *Legal*, not *technological*. Ignoring legal protections means ignoring *most* of their protections. — RBarryYoung, Dec 12 '13 at 18:53

score 95 · Answer 1 · answered Dec 11 '13 at 21:44

95

I've been writing software for many years and 2 decades ago I used to think along the lines that you're describing and try and work out ways to protect my software.

To answer your question: Software protection is done through encryption and obfuscation just like data protection. The shortfalls, as you described, is that much code is very difficult to protect and usually relatively easy to reverse engineer.

One way to protect your code (from decompiling) is to never release a compiled version of it and always run it from a server and your consumers use a client such as a browser. That does not however protect you from reverse engineering.

The defense, in my opinion, is to not waste cycles (time/money) trying to protect your code but rather be continually innovating and adding more value to your product over time. If a competitor got hold of your code and took (say) 1 month to decompile it and released a competing product then you should be a step ahead of them with your next feature or next product by that time.

Spending time and effort to block out your competition by keeping everything secret would be better spent by encouraging your team to be innovative and stay ahead of the competition.

answered Dec 11 '13 at 21:44

Guy

541
3
6

31

+1 for "innovate and don't worry about the other guys" – Wyatt Barnett Dec 11 '13 at 22:06
4

+1 for "One way to protect your code (from decompiling) is to never release a compiled version of it and always run it from a server and your consumers use a client such as a browser." – kol Dec 12 '13 at 07:15
1

I like the answer, but what about in situations where a small company creates something and a larger company has the resources to out pace them? Especially when Marketing is a such a big consideration in the success of software. (http://www.forbes.com/sites/insertcoin/2012/01/25/everything-wrong-with-zynga-in-one-image/) – CLo Dec 12 '13 at 16:21
2

@Chris This is where legal protections are most important. Unlike hackers and nations, corporations cannot afford to ignore or flaunt the law. They have the deepest pockets and under current legal theory/practice that means that they incur the greatest risks when doing so. – RBarryYoung Dec 12 '13 at 18:56
@RBarryYoung I appreciate the clarifications on legal protections. My point was more that, there are definitely some cases where "keeping one step ahead" isn't as easily done. The specific link I posted about Zynga, is just an example where legal protections aren't effective, and staying a step ahead is financially impossible. – CLo Dec 12 '13 at 19:24
2

@Chris There's no mention of code-copying there, just game/design-copying. There's only two possible ways to protect that AFAIK: either out-innovate as Guy mentions, or the legal protections of intellectual property. If Nimblebit has legal protections in this case then they should exercise them. If they do not, then what has happened here, no matter how ugly, is legally classified as "competition", which can only be defended against by out-competing. It's true that little guys are at a disadvantage against the big guys in marketplace competition, but that's a systemic issue of capitalism. – RBarryYoung Dec 12 '13 at 20:39

fzwo · Answer 2 · 2013-12-11T21:55:17.337

42

In my opinion, before asking how, you should be asking whether it's needed and/or worth it.

I think in many cases, it isn't.

People are (understandably) quite paranoid about other people stealing their codez. But is this fear rational? I think it usually isn't.

Is your app really so awesome that somebody would go to the trouble of reverse-engineering it? (Sorry, but probably not - as you said, you're a new developer. And even if you weren't... there are many very talented devs out there)

Would reverse engineering (to the point of getting usable and complete source code) be so much easier than just writing a competing product? (Very probably not)

How maintainable do you think such a program would be? (Probably not very)

There are many, many things to worry about before having to worry about protection from rip-off artists. Not the least is getting a viable and attractive product into the market in the first place.

For completeness' sake I should add that there are obviously good reasons for trying to protect certain kinds of software, or certain parts of many common pieces of software, but generally, I think trying to protect your code is mostly a waste of time better spent on making the product better.

edited Dec 11 '13 at 21:55

answered Dec 11 '13 at 21:44

fzwo

631
3
7
12

1

I don't feel this answers the question. It was framed/focused as specifically technical. If the answer to the 'ask yourself' at the start of your answer is 'yes, we've decided it's needful and worth it' or 'maybe, but I'd like to know more about the how before making a full evaluation', the rest of the answer doesn't help. – Snagulus Dec 11 '13 at 22:09
4

While I agree it doesn't seem to answer the question posed in the headline, it does (IMHO) answer the question of "what a small software company [...] should do", as posed in the last paragraph. And sometimes, answering the unasked question might be more helpful than correctly answering a question without regard for the context. Anyway, I'm fine if this doesn't get your upvote, but I still think it's a useful (if a little abrasive) answer. – fzwo Dec 11 '13 at 22:13
1

I think it's good advice, I even agree with it in this case, but it outright ignores the 'how', which could be useful to others and probably strengthen your case for why it isn't worth the work. Ex: these are the things people do, and this is why the asker shouldn't do them. – Snagulus Dec 11 '13 at 22:17
You're right, and thank you for your opinion, except that I think there are others much more qualified to answer that part than I am - Java and C++ aren't exactly my home turf. – fzwo Dec 11 '13 at 22:20
8

Sometimes the best answer is to the question that wasn't asked. Spot on. – WernerCD Dec 12 '13 at 04:21
2

I agree that there should be an answer explaining the technical how, but this answer and similar other answers are really important because: for 95% of the people who are worried about protecting their code, this is the right answer. Give a man a fish... – Supr Dec 12 '13 at 09:08
2

one does not fail to observe that when the technical aspects become very difficult, philosophy starts... The point remains, protecting code is a world class problem and as small, bright ideas can be programmed in one line, protecting this line is essential – user3054451 Dec 12 '13 at 10:25
@user3054451: If it is about a single, brilliant line, then the other thousands of mundane lines that complete the application should be enough protection, combined with the effort of reverse engineering. Given the (lack of) quality of reverse engineered source, finding that one line is like finding a particular straw (not even a needle) in a haystack. – Bart van Ingen Schenau Dec 12 '13 at 10:32
+1 Security is all about analyzing the risks and the costs & benefits of potential "solutions". – David Dec 12 '13 at 14:19
"*Is your app really so awesome that somebody would go to the trouble of reverse-engineering it?*" This is a critical point that most new developers take years to realize. Consider this, most Software Engineers prefer to write their own code *even when they already have someone else's working source code.* How easy do you think it is to get an SE to use someone else's code when they have to reverse-engineer it first? People don't reverse-engineer code to steal/replace it, they reverse-engineer code to *exploit* it *in-place*. – RBarryYoung Dec 12 '13 at 19:11

score 10 · Answer 3 · answered Dec 12 '13 at 01:38

Unless you software is pretty devious internally I am sure any competent programer could replicate the behavior of your programs in about the same time as you took to write it!

So spending a lot of effort on keeping your code secret is usually just wasting time and effort.

Some algorithms do need to be kept secret for instance google's page rank algorithm is only useful if scammers don't know how to promote a rubbish page to the top of the search, or, an automated trading system which could be manipulated by a competitor. But this situation is pretty rare.

Software giants like SAP and ORACLE sell many packages based on the fact that everybody knows exactly what they do; "GAAP compilance" or "Embodies Best Business Practice" in marketing speak.

But do not lose heart, testing is at least 50% of the effort of programming and probably adds 80% of the value; you cannot reverse engineer a decent set of tests.

score 3 · Answer 4 · edited Apr 12 '17 at 07:31

If the software is in the client machine, all you can do is delay the inevitable.

Obfuscation and encryption only makes the task of disassembling harder. If you are going that path, you probably want to reach a point were the they will decide "ok, screw this, I'll implement from scratch because it will take less time". Although, in practice it is very hard (if possible) to reach that point... as others has pointed out most mayor companies don't reach that point.

On the other hand, maybe attackers don't want to create an alternative product! (If what they wanted was to compete with you, then all that there is to it is to stay ahead of the competition and stop worrying.)

In practice there has been an actual arms race is in techniques to mod and prevent modding of software. This happens when you decide to add protection from unwanted copies by adding restriction to your software. If you do that, then all of the sudden you will have a bunch of people willing to modify your product to remove those restrictions without paying. This is even more common than a third party replicating your software, you see it from games (for example the "No CD" patches) to illegal activation of Operating Systems (cough Windows cough), antivirus software, and others.

As said, this is an arms race. You say: Anti-A, and they invent A+1, you say Anti-A+Infinity and they say B. It's like a game of whack-a-mole: they will always find a way to keep popping up until you get tired. You can also think of it as a game of Tetris, you are trying to build a perfect wall without holes... but we all know that there is only a way to finish the game of Tetris (At least the original Tetris): you lose.

So, since they want to mod you software the make patches or patchers software that we call "cracks".

Things may start to look scary when you they start to make cracks. It is common for antivirus companies to add those fake versions of programs to their database. As countermeasure the those who distribute those pieces of software will suggest to disable antivirus... result: a bunch of people running software with the antivirus disabled. You will never know when will they take that opportunity to put actual malicious software in there...

And yes, it affects you. It means less sells for you. On one hand because people use the cracks and on the other because the cracks damages your image.

Since all this problem comes from running code in the client, a common approach is to drive the activation of copies through a server. But the client needs to remember if it is activated...

From the attacker standpoint most of the cases look like an "if" branch that says:

   If (Software is Activated) do this Else do that.

All they have to do to unlock your application is to inject some code to negate the verification. So, things like testing the hash of your files to see if they are the originals wont work.

Of course this can be mitigated, take a look to Hash-And-Decrypt, and similar techniques that may actually give some headache to the attacker.

So... ¿Do you want a definitive solution? ¿Something 100% secure?

There are two options:

Never run your software in the client's machine. Run only on your own servers.
Give the software as free and open source. You can add a good legal license, and it will be easy to show that any other software there is a copy. Drive money from something else, like:

2.1. Selling installation and support.

2.2. Additional products.

2.3. Remote "Cloud" ~~execution~~ computing services.

It all point to Hardware and Cloud. it is not rare that all mayor companies are "moving to the cloud".

+1 for "You say: Anti-A, and they invent A+1, you say Anti-A+Infinity and they say B." — Michael Shaw, Dec 12 '13 at 20:46

score 2 · Answer 5 · answered Dec 12 '13 at 00:19

2

This question depends a lot on who your clients are.

If you are selling business to business, it should be fairly easy to prevent competitors from even getting compiled code. The easiest way to deal with this kind of situation is with strong contractual wording. With IBM Cognos (major business intelligence product like SAP), a license key isn't even used. They do somethings like code obfuscation but they, mostly protect their product with layers.

This is obviously harder with business to person type situations. You probably can't control who has access to the software. The other posters have some good solutions with regards to this.

answered Dec 12 '13 at 00:19

sixtyfootersdude

859
1
8
20

All this is useful including the philosophical questions. I would love some more technical input. How to fight HexRays IDA or the HexRays disassember or the ASCII scanners? What is a good solution to let third parties run the code using a server and what are the dangers. The difference between major companies and "new" developer or start-up company is that the developer can not fight legally – user3054451 Dec 12 '13 at 10:21
@user3054451 : That's false. If a big company would straight up reverse engineers a product of a small company the small company could even change it's business model. Raise money to pay for lawyers and become rich through a court finding. – Christian Dec 12 '13 at 18:30
@Christian - I am not sure if reverse engineering is illegal. If it is a patented technology then sure, but otherwise... – sixtyfootersdude Dec 12 '13 at 20:59

score 0 · Answer 6 · answered Dec 12 '13 at 18:50

Whenever you want to protect something you have to think about which threads you want to defend against.

Do you have secrets that you want to protect?
Do you want to protect against software piracy by private individuals?
Do you want to protect a company from competition.

As far as 1. goes, if you have secrets post the software that deals with them on your own server and do SaaS.

As far as 2. goes, it's probably not worth your while to invest into protection as the protection of all software gets broken.

As far as 3. goes the danger isn't straight reverse engineering through code but someone reprogramming your idea. If you want to protect against that you would need to go the expensive road and buy patents.

How is major software protected?

6 Answers6