Author: Vallo Reima
Updated on: 2017-07-27
Posted on: 2016-03-02
Package: PHP Application Packer
Read this article to learn about PHP source code protection solutions in general, and how PackApp package can help protecting your PHP source code.
PHP developers are often faced with the problem of protection of their intellectual property after delivering their PHP software products to the customer. A EULA (End User License Agreement) or a proprietary license provides legal protection, but will not actually prevent unauthorized use of copies of the software product.
Compiling or encoding of the source code into some binary format would eliminate the problem but it imposes requirements regarding software that needs to run the compiled code in the customer server.
Using of the SaaS model could be another solution but it requires the vendor server support to be available 24/7.
When the product is to be installed in the client's server, usually it provides a standard environment like LAMP based stack. This article discusses how to protect a PHP application in this case.
The PHP application in the client's server needs 2 kinds of protection:
- Prevent reading and modifying the application's source code
- Prevent redistribution of the entire application
The first measure to make the source code more difficult to read is the "minification". Removing the comments, white space and line breaks significantly reduces readability. However, it is not a problem to write a small script to reformat minified code to make it readable. The mnemonic identifier names are still informative enough to understand the code with some effort.
Another measure that may help here is obfuscation. Renaming the identifiers with random names makes the source code very hard to understand, alter or use.
The minified and obfuscated source code can still be copied and installed in any other server. So, the application must be locked to the client's site to prevent redistribution. There are several options for the locking the source code using: server IP address, site domain name, a specific URL, hardware (MAC) address. The application must include necessary functionality to verify the lock criteria before performing any actions.
Basically there are 3 types of PHP code protection solutions: minifiers, obfuscators, and encoders.
Minifiers remove parts of the source code text that are not necessary. There are minifiers that take advantage of the PHP tokenizer to parse the source code into token values. The source code is rebuilt stripping the comments and whitespace.
The minified source code often needs further scrambling which can be performed either by encoding or obfuscation. The simplest encoding method is to use the base64_encode() and eval() functions to the minified source code or to use some encryption.
It is easy for any competent PHP programmer to decode a minified PHP script to view the original source code.
An obfuscator turns regular PHP source code into an equivalent version that is harder to understand.
The most reliable way to build a lightweight obfuscator is to parse the source code lexically, replace the identifiers with meaningless names, and then rebuild the PHP source code. That must be done across all source code files including also the templates. Therefore many online tools are not suitable for this purpose because they process only individual scripts.
Encoders compile PHP source code into Zend opcodes and store the result in files that replace the original PHP source files.
Some commercial encoders are very good but may require a loader extensions to load and execute the encoded PHP code. They often use encryption algorithms with secret keys to make it harder to extract the original Zend opcodes from the encoded PHP file.
Different Loader versions are supplied depending on the Web server but the customers may not want to (or cannot) install them.
Some encoders may provide optional locking features. The locking code is built in the encoded source and the check is made during the execution.
Some developers are looking for free Open Source PHP encoder solutions. However part of the protection that PHP encoders provide comes from the fact that the encryption keys and encoding algorithms PHP encoders use is proprietary.
Providing an Open Source PHP encoder solution would defeat the purpose of protecting PHP source code because it would make it easy to create decoders.
That is why there are no free or Open Source PHP encoder solutions.
Developed by: SourceGuardian
Developed by: RSSoftLab
Developed by: Zend
|Version||Release Date||License||Platform||Min PHP||Max PHP|
|SourceGuardian||11.1||Commercial||Windows, Linux, MacOS X||4.3.4||7.1|
|ionCube Encoder||9.0||Windows, OS X, Linux, FreeBSD||4.1.0||5.6|
|Zend Guard||7.0||Commercial||Linux, Windows, Mac OS X||4.2||5.6|
|PHTML Encoder||6.4||Commercial||Windows, Linux, FreeBSD, Solaris, Mac OS X||4.2||5.6.3|
|GUI||Command Line||Lock to IP, domains, Mac Addresses||Lock to specific dates||Encode non-PHP files||Obfuscation|
Some PHP encoders have certain features that may provide better encoded code protection support. Below follows an explanation of each of these features.
|Max PHP source language||Max PHP runtime language||Files can run on newer PHP versions||Algorithmic (dynamic) keys||Runtime API||Tools for assisting with Loader install||License properties|
Max PHP source language - Highest version of PHP source code that is supported for encoding
Max PHP runtime language - Highest version of PHP source code that is supported for executing the encoded code.
Files can run on newer PHP - Encoded PHP files can be executed on newer PHP versions
Algorithmic (dynamic) keys - A stronger method for encrypting code as no decryption key is stored anywhere.
Runtime API - Vendor specific PHP functions for operations such as querying license and encoded file information.
Tools for assisting with Loader install - Does the product provide tools to help installing the Loader extension to make encoded files be executed on the server.
License properties - License specific key/value data which is accessible via the runtime API.
Some PHP encoders have features that are not yet listed here for side by side comparison. Eventually those features will be added later on a future edition of this article.
Therefore PHP encoder producers were invited to describe some of the most important features of their PHP encoders that they consider important for the PHP developers.
SourceGuardian supports advanced bytecode protection, encryption with a custom key, advanced encryption with locking to IP/domain/MAC address, locking to a license file, setting expiry date, optional remote time servers check, advanced error handling.
All known PHP encoders are commercial but most of them have free trial versions that you can try for a period of time.
NuCoder (14 days trial)
SourceGuardian (14 days trial)
Zend Guard (14 days trial)
The PHP Application Packer package fills the gap between simple obfuscators and ultimate tools. For this package packing means minifying, obfuscation, compressing with ZIP.
You can try the single-file demo here.
Main features and benefits:
- Packs an entire project at once
- Suitable for back-end and front-end projects
- Processes different source types and embedding
- Minification and obfuscation are separated
- Lightweight and compatible as it is written in PHP
- No system extensions and encoding is required
A Web based user interface is supplied to control the packing process with several options.
The PackApp can be called also from PHP script as explained in this description page.
The PackApp installation includes the registration which ties the package to the customer's web-directory. That could be a pattern for your own locking solution.
The package's source code itself is minified and obfuscated - try to undo it! You can obtain the full version of the PackApp from here.
So just as a lock won't prevent others from breaking into your house obfuscation won't prevent others from using your code, it will just make it harder for them. The goal of the PackApp package is to make reverse engineering rather expensive to attempt to do that.
Sometimes it's enough to minify only, sometimes obfuscation is required to achieve necessary protection, or locking must be applied. The choice depends on particular application and business model.
Using any free solution is often not satisfactory. If it seems too much to pay a few tens of dollars for the utility, then probably that source code does not need the protection at all.
If you are looking for all-in-one protection, then you should be ready to pay 10 times more (maybe every year) and your client should be ready to install web-server extensions. In most cases an intermediate solution like PackApp is suitable for many independent software vendors.
If you liked this article or you have questions about protecting your PHP source code using PackApp, post a comment here.
You need to be a registered user or login to post a comment
Login Immediately with your account on:
3. great for locking your code from web hosting service providers - Wamala Phillip (2016-03-03 11:25)
great for locking your code from web hosting service providers... - 0 replies
Read the whole comment and replies