Protecting applications written in scripted / interpreted languages
The SoftwareKey System is meant to license compiled applications such as those written in C++, Java, or .NET for example. When protecting a scripted or interpreted application, such as PHP, Node.js or Python, unless you use a tool to compile the interpreted code into binary code. If your clients are running the website on their servers, this presents the security challenge of running under an untrusted environment. Since they are able to easily get the source code for an interpreted application, then they can effectively bypass a license check by removing it.
We recommend the following for scripted languages:
- If possible, use a tool to compile the scripts into binary code. It is more difficult to modify compiled binary code than it is for an interpreted script.
- Execute your scripted application in a trusted environment. You will have control as to who can modify your scripts.
- If you have some proprietary functionality that could be compiled into a binary, your scripted application could call that binary. You could use the SoftwareKey System to perform a license check when the binary functionality is accessed, and you could enforce license entitlements and copy protection at this point. This could render the overall application useless if the binary is not licensed. This method allows you to keep the licensing code out of the script code and within a binary along with a part of your code that is required to make the application useful. While it is not necessary to use a compiled binary, we wanted to let you know some of the challenges when protecting scripted code.
Using Protection PLUS 5 SDK with Python
Protection PLUS 5 SDK may be used with Python with language bindings, but we do not presently provide any Python language bindings. This means you would need to either:
- Implement your own language bindings for functions you use via CTypes.
- Implement your licensing in your own C library, and use CTypes to interface with that through your Python code.
One variation is to use something like SWIG, Cython, or CPython to implement one of the two approaches noted above.
Since Python code is interpreted, you will want to investigate options for obfuscating that code to help prevent your licensing logic from being reverse-engineered, replaced, or removed. We have a good summary of this topic on our blog: Your intellectual property could be at risk: protect it with obfuscation
Specifically for Python, one option is the open-source pyprotect, which is a lightweight python code protector that makes your python project harder to reverse engineer.