Protect license key verification

[Jon Erickson]

Hey all, I am working on finishing up a IPB module and will be enabling commerce license keys for those who purchase the product - it will be sold using a subscription based model. Im not looking for actually coding answers, but in generalities, how might I protect the license key check portion of the application from any user just deleting the code from the php file so that the license key verification doesn't take place? Thanks!

[DawPi]

Honestly? You can't if your source code would be unencoded.

[Jon Erickson]

How does IPB protect their software? Do you know if they support encoding such as ioncube?

[G17 Media]

27 minutes ago, Jon Erickson said:

How does IPB protect their software? Do you know if they support encoding such as ioncube?

I think there was some talk about IPS not permitting encoded files on the Marketplace but I could be wrong. As for IPS, there is a hardcoded license check. It can be removed by commenting it out, and there are numerous sites that offer pirated versions. Like a lot of PHP projects, they mostly work on ordinary users not knowing how to remove the license check, copyright enforcement and the honour system.

[Dan C]

On 7/20/2018 at 1:28 PM, Jon Erickson said:

How does IPB protect their software?

For cloud instances, the protection comes from not giving the customer direct access to the site's files.   For self-hosted customers, they don't.   We have full access to the IPS source code.  

I don't think the Software as a Service model is going to work for you in the IPS community.   Partly because as @G17 Media pointed out, Invision have rules that explicitly prohibit encrypting files on the Marketplace, and partially because nobody uses this model today.  

[KT Walrus]

You need to host your customer's data on servers you control and implement your IPS app using a REST API (with authentication) to the business logic that retrieves/updates the customer's data. The IPS app becomes the UI to the customer, but the REST API implements the backend of the app. Make the API very high level and not at the SQL level so someone who wants to pirate your app needs to implement the logic in the protected backend.

It is futile to try to protect your PHP code that needs to run on servers you do not control. You would severely restrict your sales if you tried to distribute encrypted files in PHP. 

If you don't want to deploy your app's backend on your own servers (and making the service highly available to licensed clients), you could implement the backend in a compiled language (like Go). The backend portion of your app could expose the same REST API to the PHP portion of your app. It is easy enough to distribute your Go app in a docker container and have the Go app authenticate with a license key server that you control (on start up or periodically, like IPS does). You would need to make sure the app container could be deployed for high availability (multiple instances on customer's servers) and that the app would still work if unable to contact your license key server for a couple of days or weeks. Nothing worse for a site operator than to have a dependency on an external service that might not have 100% availability and fails on temporary outages.