Approaches to protecting Python code when sharing apps
Posted by Haunting-Shower1654@reddit | Python | View on Reddit | 28 comments
It’s harder to protect code when distributing Python apps than compiled languages.
There are many possibilities, like packaging or obfuscation, but none are really user-friendly.
I’d be interested to hear how others do this.
JamzTyson@reddit
SaaS
scrapheaper_@reddit
If by 'protecting code' you mean 'hiding poor quality code' then yeah
JamzTyson@reddit
If by ‘hiding poor quality code’ you mean ‘not shipping the business logic to strangers’, then yes.
kamilc86@reddit
Compile the 2 or 3 modules that actually matter with Cython into .so files and leave the rest as plain pyc. Anything more and you spend weeks fighting Nuitka or PyArmor for protection that a determined reverse engineer breaks in an afternoon. Put the engineering effort into a proper license check instead, sign a token server side and verify on startup. Obfuscation only filters out the people who were never going to buy anyway.
CoolAd119@reddit
Decide what actually needs hiding: push real IP to a backend/SaaS, leave the client as a thin, almost-throwaway shell.
nobrainer23@reddit
I'm making a python app and using nuitka to compile.
sausix@reddit
Do the executables run without problems on Windows SmartScreen? That's basically the only disadvantage when users have to click multiple times to run a binary from someone else.
So professionals and companies should use CodeSign to make their binaries being trusted by Windows and AV software. Of course it's verification based so it costs money.
nobrainer23@reddit
If you select onefile then the AV heuristics will quarantine it basically immediately. Standalone won't get picked up but you will need to click through smart screen.
So your choices for getting verified are signing, submitting to Microsoft for analysis or just running it a bunch of times iirc.
sausix@reddit
Various companies sell CodeSign certificates which are trusted by SmartScreen. There should be no need to submit software to Microsoft every time.
It's more like if you do harm with your signed software then they know which bell to ring. And the certificate would be revoked.
NoDesign4766@reddit
been dealing with this at work and it's honestly such a pain. we ended up just accepting that determined people will reverse engineer anyway and focused more in making our licensing robust instead of trying to hide the code completely.
obfuscation tools exist but they usually break something or make debugging nightmare when things go wrong.
pplonski@reddit
yes determined people will reverse anyway, the other options are: 1. keep code on server, and make it available in SaaS model, 2. keep sensitive code in compiled language, for example c++
Tumortadela@reddit
Do your stuff as an API and grant access instead of sharing the code maybe
ArtOfWarfare@reddit
If your code is running on a machine that you don’t control, it doesn’t matter what language you wrote it in - someone can decompile and/or modify it.
If you’re selling to businesses, you could keep track of how many copies they’ve running and threaten if you see them using more copies than you’ve sold to them.
If you’re selling to individuals… keep some critical parts on your own system, so they’re forced to call your server everytime they run (and enforce that only people who have paid can use your app that way - reject requests to your server coming from unauthorized copies.)
No_Soy_Colosio@reddit
No way to perfectly protect your code
wrt-wtf-@reddit
It’s the process that matters not so much the code.
maikeu@reddit
Shrug. Not really a good language if you care about hiding your code. The options that exist for pure Python have been mentioned but I don't think the Python community is generally going to be bothered by the fact this is hard to do well .
scrapheaper_@reddit
Is there something unique about your python code? What do you need to protect?
Haunting-Shower1654@reddit (OP)
Not anything super unique, more about not wanting the whole code to be easily readable when sharing the app.
scrapheaper_@reddit
Why not? Open source software is a common model, there's pros and cons of course, but there's no inherent problem with having your code public
Is this in a commercial setting or for a personal project?
wRAR_@reddit
Why?
Trang0ul@reddit
What's wrong with distributing them as open source?
masher_oz@reddit
because some people want to maintain secrecy, make money, keep their IP... Lots of reasons.
wRAR_@reddit
There is no ideal solution for this if you want to distribute the executable.
Haunting-Shower1654@reddit (OP)
There is absolutely nothing wrong with that. It depends on the use case I suppose, sometimes you want to share the app without exposing the full code.
NotSoProGamerR@reddit
nuitka.
aloobhujiyaay@reddit
Cython or compiling parts to extensions can help but again it’s not bulletproof
gl_fh@reddit
I suppose it's worth having a think what you're offering. Is it a super secret algorithm that must be kept hidden at all costs. Or is it a service/convenience etc.
It's going to be difficult to shield yourself from a very determined person trying to decipher what it is youre doing, and it's probably worth thinking whether it's worth it.
Haunting-Shower1654@reddit (OP)
Yeah, that’s a good point. It's probably more a question of effort vs actual risk, not trying to make it impossible.