IP Protection - Smart Client in a large installation

Classic Servoy
1

Hi,

This topic, and several like it to follow, come out of another thread on source code protection. My intent is to capture information in such a way that we can collect it within a single document for later reference. I hope that Servoy developers as well as Servoy folks will participate. I don’t pretend to be an expert here; I’m primarily just trying to organize the discussion on this topic. Please feel free to bring over any thoughts that might be relevant from the original topic, “source protection”. The goal is to capture thoughts on what risk we have to our source code in various scenarios, and what steps might be taken to mitigate that risk, from programming practices to potential changes to Servoy, to…whatever.

For this discussion on IP protection, I’d like to suggest the following scenario…

You are running a solution in a large installation. The Servoy server is on-premise, and the clients are using the Smart Client.

What risk do you have that your solution source code will be stolen?
What are ways to mitigate that risk?

Thanks and have a good day.
Ron

2

Ok, well, I guess I’ll start.

If you are doing an installation in a corporate datacenter, you may be able to make the following assumptions…

  1. The datacenter is physically protected so that it would be difficult for a stranger to walk in and either make off with equipment housing your software, or download your software to an external device and walk off with it.
  2. The datacenter is protected against unwanted network penetration, blocking anyone from downloading your software.
    Now, of course, “trust, but verify”, that this is actually true.

So, your risk of an unauthorized person making off with your software is mostly like mitigated by safeguards already in place in the datacenter. This takes us to the usual suspect, tho, and that is insider attack. Some insider attacks are mitigated by protections already in place in the datacenter. For example, physically limiting access to only those employees that need to be allowed in. Also, network security blocking access to the server, or hard drive, or logical folders, holding the application software.

But, what of the insider who has access to these resources, let’s say, a datacenter employee? In that case, you are left to protecting your software through your own means. Traditionally, this was done by just installing object code. The creative thief may be able to reverse engineer the object code, but it will protect against the common thief. Can this be done with Servoy? Actually, at this point, I don’t know.

Are there programming techniques that can be used to obfuscate the code/logic?

What other techniques might be available to us, either now, or with potential changes to Servoy?

You also have some legal protections. As part of your licensing, you can specify that the licensee have “commercially acceptable” safeguards in place to protect your IP. This isn’t foolproof, and proving damages in case of a theft may be difficult and expensive, but it’s something, and it puts the licensee on notice that they have some responsibility.

Ron

3

Hmmm, I don’t think that this is the correct way to analyze the issue. Remember that you can never protect a server that is directly accessible through the console, no matter what you do, someone could start it in single user mode and get in or could simply take all your disk and do whatever he wants somewhere else.
The only thing you can do is choose a good datacenter and if someone from the inside should do something wrong you can squeeze a huge amount of money from them.

IMHO you should focus on protecting your server from external attacks: setup a good firewall, define very strict DB access policies, secure your backups.
The servoy architechture is very secure, the data is only stored in the database, if you use an encrypted connection you are quite safe from sniffers and I think it would be quite hard to recover business logic and code from a smart client installation on a client machine.

In my opinion Servoy 3 tiers architecture is very secure, of course it could be breached, like any other architecture can be, but it would be very difficult and expensive for someone to do it. If your code is so precious I guess you will have a huge budget to spend in security and lawyers so focus on tracing who is accessing what and when and you could unleash your legal team and make enough money to retire to a warm and comfortable caribbean island… ;)

4

A few notes:

  • You can obfuscate your code. There are several free JavaScript obfuscation tools available. I don’t recommend that you do this for all your code, but just do it for a few key methods, like ones used in core framework of your app. Enough so it can’t function properly without it.

  • You can also put some of your code in a plugin, and obfuscate the Java code in the plugin. Again, make your solution rely on some methods in the plugin, and it will add additional protection.

  • You can add some features to make your app “call home” periodically to give you info about who is using your solution. Not foolproof, but a step

5

Hi, and thanks for your comments.

Nicola, thanks for your thoughts. I don’t know that there’s a right way or a wrong way; this is just “a” way. There may certainly be a better way, but for now, this is the one I chose.

Very good thoughts, which pretty much match my own experience. You’re right that if you are installing into someone else’s datacenter, you have to live with their security procedures. If you see a particular weakness, there may be an opportunity to discuss it. As I said, the best you can do there is include in your licensing agreement some mention of commercially acceptable security.

Scott, thanks for your thoughts as well. For applications that rely on some key piece of logic, obfuscation as you described may be just the ticket. Many apps simply rely on the wealth of functionality that they provide, and that solution may not work there. Certainly a good idea to pursue, tho.

The idea here is just to get ideas out. Some may lead to further discussion, and in some cases it may be enough to just make note of them. I’ll collect the individual entries and put them into some sort of order, and make them available as a PDF for anyone interested. Of course, they’ll also be here in the archive of the forum for anyone who chooses to search for them.

I’ll let this one fester here for a couple of more days and then add another.

Thanks and have a good day.

Ron