[author:alex]
One of the main questions we get regarding distributing a SaaS app behind the firewall, is “how do I protect my source code?”.
This is a problem which has plagued people for years, and the answer is always the same: “you can’t.”.
The unfortunate truth is any zealous hacker can, and will gain access to your code if you distribute it.
A real solution involves using legal licenses and EULAs to prevent people from tampering with or trying to obtain access to the source code. This is exactly what GitHub does, and it works.
Are there other options?
If you just want to protect your code from the casual observer, there are multiple ways to do so. Most solutions are quite expensive, but they work at stopping most people, except the real committed hackers.
I generally encourage the use of some form of key signing, hashing, encoding and encryption before distributing an app. Below I’ll list a few of my recommendations.
First step, encrypting the FS
For starters, your most important code should reside in an encrypted filesystem. This will prevent someone from mounting a disk without the correct credentials, and accessing files which should normally be hidden.
On Linux, here are a few examples usingĀ dm-crypt andĀ LUKS:
This will provide a password prompt for accessing the encrypted filesystem, but that can easily be scripted so it’s read on system boot (as a kernel parameter), or when your application launches, etc. This is the first and easiest step to protecting your app for distribution.
Second step, obfuscate your code
Obfuscation is different from encryption and encoding, as it could simply convert your code from text to a mostly unreadable format. Variables, classnames, and other values will be gibberish for the casual reader, and they’ll be unable to make any changes without breaking the code, or reversing the obfuscation. This is not a real method of protecting code, but it’s a big enough barrier to annoy anyone who doesn’t have time to fudge around.
Search online for your code language’s obfuscation modules. I’m sure there are plenty out there.
Third, encode your code
Encoding is a whole different game. This is the expensive world of software vendors promising the ability to protect your code, when in fact I’m pretty sure they’ve all been bypassed by someone, somehow. I don’t personally know anyone who’s managed to bypass one of these tools, but it’s definitely possible, so beware.
I think the following are good sources for encoding your PHP or Ruby code, at a price:
Unfortunately this list is incomplete since I’ve never used these products.
Finally, hash your licenses
This isn’t related to distributing code, but rather distributing licenses. Many packaged SaaS apps require some form of license to use the app. This is necessary to prevent piracy and abuse of your software. It’s not always necessary, but I highly recommend it, particularly if you want to make money from selling your SaaS app behind the firewall ;)
The easiest thing to do is add a public key for decrypting the license. This will allow you to verify the hash of the license to ensure it hasn’t been tampered with.
For example: if you provide users with a license file allowing access to 10 users; hashing, decrypting and validating with the public key will ensure someone doesn’t magically alter it to allow 200 users. This process would need to occur at runtime, each time the app is launched, but it’s a small step towards ensuring your licenses remain unmodified.
Contact us
I didn’t get into much detail about every possible solution, but i’ll gladly write about it upon request. We’re also available to discuss your particular needs and requirements in regards to protecting your SaaS app for distribution. Feel free to contact us with your questions, on IRC, Twitter, or by email.