Obfuscation for IP protection

Recently we’ve had lots of interest in an internally developed product from external organisations. Obviously if they’ve got enough interest to want to pay for it… why not sell it to them?

There’s a few issues to consider when the software was developed without a clear goal to make it into a saleable product:

  1. The software was never developed to be a product for general sale – it is likely to have missing requirements as it was developed for a single purpose (i.e. not generic enough)
  2. Licensing (the software) was not a requirement during the development – the developers did not know it was a requirement, this could have altered the design stratagem
  3. Database objects not created ‘WITH ENCRYPTION’ – a simple to fix issue, but its a PITA!
  4. Web application not written with obfuscation in mind – is it possible to reverse engineer our DLLs/Web Services?

The software we need to protect is a web application (ASP.NET 3.5 C#) with a SQL Server 2005 back end

I had some experience with obfuscating .NET since 1.1, and it seems lots of the issues from back in 2001/2 have now gone since the .NET language has moved on and become more optimised. There’s an interesting thread of discussion on Stack Overflow that might interest you. It discusses tools, reasons for doing it, and the potential pitfalls.

I’m not too worried about our IP going missing, as we will put a non-disclosure agreement in place, and the potential buyer would loose significant reputation and business from my organisation if they were to attempt to get out our precious source code.

Having looked at a few obfuscators, I’m tending to go for Eazfuscator.NET.  As this software package is under maintenance (internally) I didn’t want to make wholesale changes to the solution/project so it seemed the obvious choice. Simply use it on your web application DLL (outside of Visual Studio), and all is well.

In terms of licensing, we will need to think about a pricing model if orders do come through to door and then come up with a suitable licensing strategy.

Our main headache is going to be “… well, it kinda does what we want it to do but …” type questions. Our internal processes are almost certainly going to be different to those organisations wanting to use the package. Dealing with this, alongside the maintenance of an existing system is going to be challenging.

SpittingCAML




You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Obfuscation for IP protection”

  1. SpittingCAML Says:

    Update on this. We had a webservice as part the web application and it ceased to work when we obfuscated the DLL. I guess this is because the WebMethods get renamed.

    In fact a better explanation can be found here:
    Obfuscating Web Services - this is an excellent guide on how to get it working for you.

    SC

  2. SpittingCAML Says:

    .. also, there’s a few ways to stop Eazfuscator renaming your classes and methods.

    See Documentation Comment

    SC

  3. Al Says:

    @SpittingCAML - what ever happened to this situation? We’ve had questions like that come up with one of our internal LOB apps once. Management just said ‘No.’ But I’d thought about your concerns before they did that!

    What do you think about the possibility of not worrying about about obfuscation nor changes or worse yet, support, and just throw the source code over the wall to them? Do they not have the staff to make changes?

    I would wonder if it would be feasible and reasonable from a legal standpoint to have a contract with NDA, no rights to sell code or its improvements, rights to buy back improvements, and a requirement that they make an arrangement with a consultant to do all the support and customizations? That would make it more expensive for them, of course, and less profitable for your, with the consultant having to train churning programmers on your complicated system instead of relying on your expertise in the matter… but it would sure free you up from working for, uh, another company!

  4. SpittingCAML Says:

    @Al

    We sold it successfully without obfuscation in the end as we agreed a three year fixed price support agreement that would be invalidated if any modifications were done by the licensee.

    We’ve made a small amount of profit in selling ‘added extras’ to the original application so we are reasonably happy to have made some money on what was supposed to be an internal project.

Leave a Reply