Encrypting application source code

Hi,

I would like to secure my Rails app source code because we have a
complex application and we install it on our customer sites.

It is in our company's best interest to keep the source code secure
since we have invested a great amount of time and research in
developing the logic/algorithm behind the application.

We evaluated several options (like Rubyscript2exe, etc) and came to a
conclusion that we should enrypt the Rails application source code and
which can be decrypted on the fly to serve application. This will not
allow anyone to look at the code even if the application is running or
if someone get hold of a copy of our source code.

I looked around but couldn't find anything that can do something like
this, ie encryption and decryption of source code something what
ZendGuard does for PHP.

I would appreciate if you have any suggestions or ideas on this.

Thanks in advance.

www.sphred.com
http://nasir.wordpress.com

Good luck waiting for a bytecompiler for ruby, might take a long while though. A good contract or a preconfigured and inaccessible servers are your best option.

Best regards

Peter De Berdt

I looked around but couldn't find anything that can do something like
this, ie encryption and decryption of source code something what
ZendGuard does for PHP.

First, it's not encryption. It's byte-code compilation (much like
what you get when using a caching mechanism such as APC).

Second, it can be reversed very easily:

http://www.qinvent.com/cyrj/dezender/index-en.php

Looks like this one app supports reversing all current PHP "protection" rackets.

I would appreciate if you have any suggestions or ideas on this.

If you want 100% secure code.. put the code on your server, then
unplug the server from the wall.

you can look at zenobfuscate . You can also read the dozens of threads
people have discussed this exact issue in.

also, how mingle does it:

http://kiyo.wordpress.com/2007/08/21/mingle-on-jruby-how-its-deployed/

Thanks for the reply Peter.

We thought about the contract and inaccessible servers but
unfortunately that is not a viable solution for us.

Regards

Nasir

Thanks for correcting me Greg about byte-code compilation.

I will put forward a very simple analogy here for your second point.

We all know that anyone can break into our house but we still lock it
before leaving our doorstep. Infact some of us take more than one
measure to make sure that the stuff in our house is secure and also to
feel secure.

So I imagine that my company's first step to do something like above
is not that bad a choice.

However, I never mentioned 100% secure code but I guess that was a
great suggestion. I am sure you must have tried that in the past, did
that work? ;o) I think we all would like to know how did you get that
working ;o)

Anyway thanks for replying.

Regards

Nasir

Thanks for the link gene. I will look at zenobfuscate and the mingle
link.

Regards

Nasir