Protecting the Ruby on Rails source code (encrypting and making the code compilable and not to view)

rubyonrails-talk
1

I am trying to implement my application in my client place and the application is developed in Ruby on Rails.

Since I am going to deploy on their premise I wish to make the code as encrypted can be compiled but not be able to view, use or copy.

How can I do that using open-source tools.

2

You can use ruby encoder (http://rubyencoder.com)

Regards, Logan

3

You can’t do that with ANY tools. Even “Ruby Encoder” can be reversed to regenerate source code, as can alternative approaches (using Jruby and compiling to .class files, etc). Even compiled machine code can be reversed back into C:

If they can execute the code, they can reassemble it. You’re trying to protect code by putting a lock on it and then GIVING THEM THE KEY.

Ultimately, it’s a question of effort: you can make extracting source more difficult, but never impossible.

Also, this is an enormous red flag (from Ruby Encoder’s FAQ):

“Some of our techniques, for obvious reasons, are not documented outside of our core team and this is to provide a hightened level of protection for the Ruby or Ruby on Rails scripts.”

A basic rule of security: if somebody’s promising that their SUPER SEKRIT ALGORITHMS can do something impossible, watch out.

Take the $199 and spend it on getting a good lawyer to write up a contract that specifies strong penalties for stealing source - but realize that enforcing such a contract will cost even more money.

–Matt Jones

4

Will the application be living on your hardware or your client’s? If it’s your hardware, I suppose there isn’t much to it. Set up the server and retain root/admin access.

If you’re in a situation where you must deploy on the client’s hardware, I think your best bet is to establish a VM guest with your application. Set it up as if it were your own hardware (retain root/admin access) and configure the VM guest to talk to your client’s network.

Your client will still have access to the machine, so if they wanted to invest the time they could probably get at your application (in both cases I would use FDE). In this case at least they have to put some effort into it.