I'm having trouble seeing this as a P&L question, and I suspect others are too -- that's why you haven't gotten an answer -- but I was reluctant to move it because your first sentence seemed to indicate that P&L was an intentional choice. It seemed like either an R&D question (for the obvious reasons) or else perhaps an Ops & Legal question (IP protection, and the miscellaneous "nuts and bolts" of running a software company).
Should I move it, or do you really think it's a pricing and licensing question? The questions we get here, and our experts, run more along the lines of "if we sell one copy for $49, what should we charge for ten?" and "how do we write a license that prohibits our customers from doing X while letting them do Y?"
BTW, not the answer to your question, but it almost is and it's an amusing read, albeit waaay too long: http://thc.org/root/phun/unmaintain.html.
Categories: Licensing Issues
While this may sound like a developers topic, I was more interested in an IP protection opinion of code obfuscating.
We are preparing to deliver our first .Net application and the topic of encrypting or obfuscating our products came up as a way to protect our intellectual property. I am comfortable with the concept, but was interested in how others were facing this decision. I want to be responsible with our IP, yet, I don't want to build extra steps in our development process if it is really unnecesary.
Are others encrypting their .Net apps for commercial distribution or do you just figure if someone is set on reverse engineering, they are going to do it no mater what. (Our software does not contain any world-changing algorythyms, our values is our ease-of-use and process).
Thanks in advance!
I would say wherever IP protection is discussed would likely be the right home.That would be here at Ops & Legal. IP is definitely a Legal topic, and I see your question as more Ops than R&D, because you are not asking "is method X or Y technically superior?" but rather for a management overview of obfuscation. I see the issue of obfuscation as different from copy protection because I think the big discussion point in CP is "how much are we inconveniencing the legit customers?" Obfuscation has no customer impact, is that correct?
Let me get the Ops & Legal ball rolling by confessing my ignorance. I know obfuscation/reverse compilation is a big issue for Java. Is it an equally big issue for .NET? Are C# and VB "object" code sufficiently one-to-one with the source code that use de- or reverse compilation is possible? Must be: I do a Google search on .NET obfuscation and get 545,000 hits, including ELEVEN paid ads. OTOH, a Google search on .NET decompiler yields 785,000 hits, including seven paid (some of them the same as from the earlier search).
If anyone is wondering "what the heck are these guys talking about?" here is a good introduction: http://www.awprofessional.com/articles/article.asp?p=353553&seqNum=3&rl=1
Just to complete the picture, let me mention the aspect of this general topic that does apply to licensing. It is important to be clear about what you are trying to achieve as there are two separate issues involved:
1. Concealing your IP and algorithms from snoopers. This is the goal is obfuscation or encryption, and there are many such tools available. It is orthogonal to licensing.
2. Ensuring (in a licensing context) that the license checks and perhaps other function calls are not bypassed, modified or spoofed. One way of accomplishing this latter goal is to take a digital signature of the library elements, so detecting any tampering or substitution.
As I understood your post your concern is the former - right? - so I agree it is perhaps better addressed in this forum.
Apparently several ISVs see a business here; there's this -->
and this -->
We don't obfuscate our .NET product. I strongly believe that if someone is determined to hack/crack your application, nothing will protect you.
There is no 100% secure solution.
In my opinion it's better to get a copyright for your source code. So in case someone steals and sells your product, you can sue them.
As for the licensing code manipulation, think about: will a serious company (prospective buyer) try to tamper your licensing module? I don't think so.
Locks are to keep honest people honest. Person who tries to hack your product will hardly buy it anyway.
I someone wanted to copy your code and it happened to be obscured, they would just look at the processor as it executes and disassemble what the processor executed.
Obscuring code might raise the cost of copying your code, but it won't prevent it.
A couple of clarifications if I may.
- You've "got" a copyright automatically on your code and screen designs (very important -- see the recent thread on "copycat software") by virtue of your having recorded it on a "tangible medium." It's important to REGISTER your copyright to protect your ability to sue infringers. (I'm speaking of US law here. Others' mileage may vary.)
- Sure, any of these things only slows down/raises the cost for a crook. Will the lock on your front door at home keep crooks out absolutely? Of course not. It just slows them down -- but you still installed a lock, didn't you? If you can raise the cost of hacking your software to where it is cheaper to buy a license, or to where commercial crackers will play elsewhere, then obfuscation was worth the effort. Reconstructing code from a debugger trace is a lot harder than working with a decompiler.
- I agree with Vadim, assuming you are talking about mission-critical software. No one is going to take a chance running their company on unsupported software, stolen or otherwise -- no one, that is, who could have afforded your software in the first place. The tradeoffs are different for nice-to-have software.
One additional consideration, which may apply to .Net applications in the same way as Java applications, is that by obfuscating Java code the file size gets smaller. This is because there is some data compression that is used as part of the obfuscation process. This was a welcome secondary benefit for one Java application I had written for me.
Along the same lines, some of the sites selling obfuscators claim performance improvements. Seems plausible, but I would benchmark before I implemented obfuscation for that benefit.
Just wanted to sy we have worked with this app and have been pretty happy with it.
Obfuscating .Net software is a must, since its so easy to see the code using tools like Reflector. You want to make it as hard as possible for hackers and crackers and IP thieves. Of course, there is the license agreement but most companies do not have time or resources to fight legal battles.
Our own product Crypto Obfuscator offers a variety of protections for your .Net assemblies. Do check it out.