7

I'd like to ask how to protect my code that is running on a client server from being altered and/or copied.
It's running on Ubuntu Server with the standard Apache Php Mysql stack.
Any software needed would preferably be open-source.

I'd also like to terminate the application when there is a license problem.
Doing this using my code is possible but since it's php the client could alter the code to prevent this from happening.

BenMorel
  • 283
  • 2
  • 9
HTDutchy
  • 222
  • 1
  • 2
  • 7
  • 3
    client server?! – Songo Jan 13 '13 at 12:52
  • 1
    @Songo client as in "the guys paying me for the code", I presume. –  Jan 13 '13 at 12:52
  • 1
    Look for example here: http://programmers.stackexchange.com/questions/29496/open-source-php-encoder/29509 in general it's not fully possible but you might encode and obfuscate your source code. – Luc Franken Jan 13 '13 at 13:02
  • It might not be obvious to you, but *any* code that runs on a client that you do not control can be altered, and there is absolutely no way of preventing this. You can make it slightly harder so that understanding and modifying it takes some dedication and effort, but that's about as good as it gets. – tdammers Jan 13 '13 at 19:24
  • Compile your code into binaries. – Tulains Córdova Jun 14 '13 at 19:51

4 Answers4

4

If you need to protect some magnificent algorithm you could have the code sitting on your own server with an authenticated API to access it, then distribute programs that use that API and sell credentials to use that API. It would then be possible to control code access as you pleased. This would be a sort of a software as a service type system that can be very effective in combating software piracy.

However this system has many potential flaws, one of which is it will be very difficult to persuade customers to trust this system knowing that if your company removes it's servers then they also lose theirs along with any investment of time/money into using the service.

Also the cost/maintenance would be substantial considering you would need to be able to support the combined traffic of all your customers received.

It would probably be easier to provide updates/support so people continue to pay for your services. I think it would be worth considering advice given on how to disable copying data from a webpage that any sort of protection that can easily be broken may not be worth the development effort and may annoy legitimate users and instead add value to continuing to pay for a licence.

Community
  • 1
Joel
  • 286
  • 1
  • 12
  • As offering support and updates to the software with the license is already the plan. I think I'll have to settle for trusting the client. – HTDutchy Jan 13 '13 at 18:21
  • 1
    That wouldn't work anyway, since the client is open source so the code can be tampered with (i.e. they can change `if ($response == $expected_result){` to `if (true){` and they are done). – Jay Jan 13 '13 at 19:11
  • 1
    @Jay The client code would just be rendering code, it wouldn't include the actual functions being executed to generate the data. – Joel Jan 13 '13 at 19:32
  • In essence, you have: `$code = fetch_code_via_api(); eval($code);`. I raise you: `$code = fetch_code_via_api(); file_put_contents('code1.txt', $code); eval($code);` followed by changing the original code to `eval(file_get_contents('code1.txt'));` and the code is mine. At which point it'd probably be easier/cheaper to have bugs fixed internally than to pay you some fixed fee for usage of your API. If the code runs on the client, there is *no way* you can prevent it being taken. As I said in my answer, IonCube isn't perfect either, but it's close. – Jay Jan 13 '13 at 19:57
  • 1
    @Jay When PHP runs your browser isn't sent the PHP to execute it's sent the HTML produced by the PHP. In this case there is the 'client' who acts as a proxy between the end-user and the central server who is only sent the rendering of that data not the method used to produce the data. Dropbox for example expose their API that doesn't mean anyone can just reconstruct the Dropbox code. – Joel Jan 13 '13 at 22:34
  • I did not claim you can reconstruct PHP from HTML. I asserted you can reconstruct PHP *from* PHP. The question is about protecting the PHP code itself, not its output. – Jay Jan 13 '13 at 22:36
  • @Jay The PHP is sitting on a central server the client does not have access to. – Joel Jan 13 '13 at 22:37
  • Please explain how a user login feature will work, if the PHP is hosted on a remote server (i.e. client -> clientServer -> developerServer). Also explain where the database is. – Jay Jan 13 '13 at 22:42
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/7087/discussion-between-joel-and-jay) – Joel Jan 13 '13 at 22:46
3

Any software needed would preferably be open-source.

To the best of my knowledge, you're out of luck on this one. Making PHP 'encryption' is a business, and open sources solutions just won't/don't cut it as well (from the ones I found, it took me under 10 minutes to defeat them because all they really did was base64_encode the code, rotate it a few times, then eval the reversed process in order to execute the code. Replacing eval with echo made it trivial to defeat. The best one I saw used magic variables like __LINE__ in order to prevent this kind of thing, but was still pretty easily defeatable for any experienced PHP dev once you noticed this.).

IonCube is still pretty hard to defeat, you have to pay someone upwards of $5 - $8 per file to decrypt it. If you have a lot of files: this is a financial barrier. They also have licensing options so you can prevent the code being copy/pasted onto other servers and just run as-is.

Jay
  • 864
  • 6
  • 11
3

You have two options:-

  1. Learn to trust your clients.
  2. re-Factor your software in a compiled language (Java, C# will do but they can be reverse engineered with comparative ease, C,C++ are pretty much impossible to reverse engineer but are not very good for WEB applications).

You should also realize that any reasonably competent programmer could probably reproduce your system only by observing its behavior without ever looking at your code.

James Anderson
  • 18,049
  • 1
  • 42
  • 72
0

Take a look at this new opensource project:

http://pecl.php.net/package/BLENC

BLENC is an extension that permit to protect PHP source scripts with Blowfish Encription. BLENC hooks into the Zend Engine, allowing for transparent execution of PHP scripts previously encoded with BLENC. It is not designed for complete security (it is still possible to disassemble the script into op codes using a package such as XDebug), however it does keep people out of your code and make reverse engineering difficult.

Giuseppe C.
  • 9
  • 1