4

First of all I know nothing I can do that 100% prevents illegal copying of my software. I'd like to just make it reasonably hard for a competent person to do, and almost impossible for an unknowledgeable person to do.

I have a contract job coming up to develop a web app using the WAMP stack, commissioned by a company's IT manager. During our meeting and conversations, he kept being generic about the software requirements, seemingly refusing to develop requirements specific to his company. So I got the impression as if he was intending to resell the software to other companies for his profit.

And for people who say "people who pirate software aren't in your target market anyway", obviously that doesn't apply in this case because if he resells my software to other companies, those companies ARE in my target market.

The functionality in my software will be divided both in the server-side (PHP) and client-side (JS) using a good JS framework, if possible I want to protect both, (but I think for JS the only thing I can do is obfuscate the code).

I can't just refuse the contract because I need the money.

Is there anything at all I can do?

Edit: I'm also open to using external applications (i.e. written in C, Java, etc. or compiled into dll) to handle the copy-protection. Just need to know the general mechanism of it, if possible.

d.a.vorm
  • 179
  • 2

3 Answers3

3

You are solving the wrong problem.

You can't hide your code when using php and javascript. You can obfuscate but it will not deter anyone trying to steal your code.

What you need is a contract where it is clearly written what your code does, what the customer is allowed to do with your code and penalties for breaking the contract by distributing your code without your consent.

For that you'll need a lawyer.

Bent
  • 2,566
  • 1
  • 14
  • 18
  • 1
    Where I live (southeast asia) a contract like that is quite meaningless, especially for a freelance worker like me. Here, piracy is the norm, not the exception. Nobody cares about piracy because most people expect software to be free. – d.a.vorm Oct 26 '16 at 14:34
  • And strictly speaking, they have a point and you're proving it for them: Code has a virtual unlimited supply because once public it is takes zero effort to multiply it infinitely often. As you yourself point out it is ultimately impossible to prevent access to it. So from an economic standpoint this means that software (or really any kind of digital good) is comparable to a freely available good like oxygen which simply cannot be sold for any non-zero price. ... – Johannes Hahn Oct 26 '16 at 15:09
  • ... Also compare to information as a good: Once a certain piece of information is known, it can be freely copied by telling others, nobody can effectively prevent that. That's why information is free (newspapers etc. are not, because they provide more than information, e.g. the convenience of having lots of it in one place or having it earlier than others etc. But the information itself is free) These analogies aren't perfect, but strong enough to really make it hard to justify attaching non-zero prices to digital goods. – Johannes Hahn Oct 26 '16 at 15:09
  • @d.a.vorm in that case, if you really think he's going to resell, make sure the contract states that if he does so all rights revert to you, so that you at least can resell or open source the code yourself if you want to. –  Oct 27 '16 at 08:39
1

First don't forget to use a licence!

https://stackoverflow.com/questions/4766834/how-do-i-protect-javascript-files :

a very interesting article written by Patrick Weid on how to hide your js code, and he reveals a different approach: you can encode your source code into an image! Sure, that's not bullet proof either, but it's another fence that you could build around your code. The idea behind this approach is that most browsers can use the canvas element to do pixel manipulation on images. And since the canvas pixel is represented by 4 values (rgba), each pixel can have a value in the range of 0-255. That means that you can store a character (actual it's ascii code) in every pixel. The rest of the encoding/decoding is trivial. Thanks, Patrick!

The article : https://www.patrick-wied.at/blog/a-technique-for-hiding-your-javascript-code

It is impossible to project your code via JavaScript, because the code is executed on the client. That being said, you can make it difficult to obtain for less advanced developers, who are likely the kind of scum that would steal code and claim they wrote it. Real developers have way too much pride to steal code, and would more than likely write their own. That being said, here is how.

  1. Create a Server side file that requires an active authenticated session in your controller and embed your javascript into this file. Use Ajax to retrieve the file when the page that you want to reference loads it and add the script to the DOM. In other words, dynamically embed your javascript at run time so that it's not visible when view source is selected.

  2. If you really want to make things complicated, split the logic between server side and client side. Have some of the work done server side via ajax post/get methods and some done client side. Be sure that active session params are used so that no one can simply reference your logic and steal it all. This way if they steal part of the code, they still have to be intelligent enough to write the rest, which probably won't be the case if they're attempting to steal.

  3. You can also throw your own encryption into the mix, though this will slow things down. You can use a two way hash that uses something as simple as a session id, and decrypt and execute as you go.

  4. Lastly, you can embed an erroneous javascript file ripe with errors and malicious code to totally jack up unsuspecting losers system called gotcha.js! Ok, that might be a bit overboard, but misdirection is the key here.

Community
  • 1
PyNico
  • 129
  • 1
  • 4
0

You can't in this situation, obfuscation is not copy protection and just gets in the way. In any case - you have to trust the people you work with. If you don't trust them don't work with them.

TotalWipeOut
  • 101
  • 1
  • 1
    I know obfuscation is not copy protection, hence my resignation that it's pretty much the only thing I know. As I said, I need this job, I can't just say no. I'm willing to accept the risk, just trying to minimize it – d.a.vorm Oct 26 '16 at 14:31