Encrypting application source code

Nasir_Jamal · December 4, 2007, 12:17pm

Hi,

I would like to secure my Rails app source code because we have a complex application and we install it on our customer sites.

It is in our company's best interest to keep the source code secure since we have invested a great amount of time and research in developing the logic/algorithm behind the application.

We evaluated several options (like Rubyscript2exe, etc) and came to a conclusion that we should enrypt the Rails application source code and which can be decrypted on the fly to serve application. This will not allow anyone to look at the code even if the application is running or if someone get hold of a copy of our source code.

I looked around but couldn't find anything that can do something like this, ie encryption and decryption of source code something what ZendGuard does for PHP.

I would appreciate if you have any suggestions or ideas on this.

Thanks in advance.

www.sphred.com

Peter_De_Berdt · December 4, 2007, 6:26pm

Good luck waiting for a bytecompiler for ruby, might take a long while though. A good contract or a preconfigured and inaccessible servers are your best option.

Best regards

Peter De Berdt

Greg_Donald1 · December 4, 2007, 10:46pm

I looked around but couldn't find anything that can do something like this, ie encryption and decryption of source code something what ZendGuard does for PHP.

First, it's not encryption. It's byte-code compilation (much like what you get when using a caching mechanism such as APC).

Second, it can be reversed very easily:

Looks like this one app supports reversing all current PHP "protection" rackets.

I would appreciate if you have any suggestions or ideas on this.

If you want 100% secure code.. put the code on your server, then unplug the server from the wall.

Gene_Tani · December 5, 2007, 4:42am

you can look at zenobfuscate . You can also read the dozens of threads people have discussed this exact issue in.

also, how mingle does it:

Nasir_Jamal · December 5, 2007, 10:45am

Thanks for the reply Peter.

We thought about the contract and inaccessible servers but unfortunately that is not a viable solution for us.

Regards

Nasir

Nasir_Jamal · December 5, 2007, 11:04am

Thanks for correcting me Greg about byte-code compilation.

I will put forward a very simple analogy here for your second point.

We all know that anyone can break into our house but we still lock it before leaving our doorstep. Infact some of us take more than one measure to make sure that the stuff in our house is secure and also to feel secure.

So I imagine that my company's first step to do something like above is not that bad a choice.

However, I never mentioned 100% secure code but I guess that was a great suggestion. I am sure you must have tried that in the past, did that work? ;o) I think we all would like to know how did you get that working ;o)

Anyway thanks for replying.

Regards

Nasir

Nasir_Jamal · December 5, 2007, 11:06am

Thanks for the link gene. I will look at zenobfuscate and the mingle link.

Regards

Nasir