I’ve been writing software for many years and 2 decades ago I used to think along the lines that you’re describing and try and work out ways to protect my software.

To answer your question: Software protection is done through encryption and obfuscation just like data protection. The shortfalls, as you described, is that much code is very difficult to protect and usually relatively easy to reverse engineer.

One way to protect your code (from decompiling) is to never release a compiled version of it and always run it from a server and your consumers use a client such as a browser. That does not however protect you from reverse engineering.

The defense, in my opinion, is to not waste cycles (time/money) trying to protect your code but rather be continually innovating and adding more value to your product over time. If a competitor got hold of your code and took (say) 1 month to decompile it and released a competing product then you should be a step ahead of them with your next feature or next product by that time.

Spending time and effort to block out your competition by keeping everything secret would be better spent by encouraging your team to be innovative and stay ahead of the competition.

In my opinion, before asking how, you should be asking whether it’s needed and/or worth it.

I think in many cases, it isn’t.

People are (understandably) quite paranoid about other people stealing their codez. But is this fear rational? I think it usually isn’t.

Is your app really so awesome that somebody would go to the trouble of reverse-engineering it? (Sorry, but probably not – as you said, you’re a new developer. And even if you weren’t… there are many very talented devs out there)

Would reverse engineering (to the point of getting usable and complete source code) be so much easier than just writing a competing product? (Very probably not)

How maintainable do you think such a program would be? (Probably not very)

There are many, many things to worry about before having to worry about protection from rip-off artists. Not the least is getting a viable and attractive product into the market in the first place.

For completeness’ sake I should add that there are obviously good reasons for trying to protect certain kinds of software, or certain parts of many common pieces of software, but generally, I think trying to protect your code is mostly a waste of time better spent on making the product better.

Unless you software is pretty devious internally I am sure any competent programer could replicate the behavior of your programs in about the same time as you took to write it!

So spending a lot of effort on keeping your code secret is usually just wasting time and effort.

Some algorithms do need to be kept secret for instance google’s page rank algorithm is only useful if scammers don’t know how to promote a rubbish page to the top of the search, or, an automated trading system which could be manipulated by a competitor. But this situation is pretty rare.

Software giants like SAP and ORACLE sell many packages based on the fact that everybody knows exactly what they do; “GAAP compilance” or “Embodies Best Business Practice” in marketing speak.

But do not lose heart, testing is at least 50% of the effort of programming and probably adds 80% of the value; you cannot reverse engineer a decent set of tests.

If the software is in the client machine, all you can do is delay the inevitable.

Obfuscation and encryption only makes the task of disassembling harder. If you are going that path, you probably want to reach a point were the they will decide “ok, screw this, I’ll implement from scratch because it will take less time”. Although, in practice it is very hard (if possible) to reach that point… as others has pointed out most mayor companies don’t reach that point.

On the other hand, maybe attackers don’t want to create an alternative product! (If what they wanted was to compete with you, then all that there is to it is to stay ahead of the competition and stop worrying.)

In practice there has been an actual arms race is in techniques to mod and prevent modding of software. This happens when you decide to add protection from unwanted copies by adding restriction to your software. If you do that, then all of the sudden you will have a bunch of people willing to modify your product to remove those restrictions without paying. This is even more common than a third party replicating your software, you see it from games (for example the “No CD” patches) to illegal activation of Operating Systems (cough Windows cough), antivirus software, and others.

As said, this is an arms race. You say: Anti-A, and they invent A+1, you say Anti-A+Infinity and they say B. It’s like a game of whack-a-mole: they will always find a way to keep popping up until you get tired. You can also think of it as a game of Tetris, you are trying to build a perfect wall without holes… but we all know that there is only a way to finish the game of Tetris (At least the original Tetris): you lose.

So, since they want to mod you software the make patches or patchers software that we call “cracks”.

Things may start to look scary when you they start to make cracks. It is common for antivirus companies to add those fake versions of programs to their database. As countermeasure the those who distribute those pieces of software will suggest to disable antivirus… result: a bunch of people running software with the antivirus disabled. You will never know when will they take that opportunity to put actual malicious software in there…

And yes, it affects you. It means less sells for you. On one hand because people use the cracks and on the other because the cracks damages your image.

Since all this problem comes from running code in the client, a common approach is to drive the activation of copies through a server. But the client needs to remember if it is activated…

From the attacker standpoint most of the cases look like an “if” branch that says:

   If (Software is Activated) do this Else do that.

All they have to do to unlock your application is to inject some code to negate the verification. So, things like testing the hash of your files to see if they are the originals wont work.

Of course this can be mitigated, take a look to Hash-And-Decrypt, and similar techniques that may actually give some headache to the attacker.

So… ¿Do you want a definitive solution? ¿Something 100% secure?

There are two options:

1. Never run your software in the client’s machine. Run only on your own servers.

2. Give the software as free and open source. You can add a good legal license, and it will be easy to show that any other software there is a copy. Drive money from something else, like:

   2.1. Selling installation and support.

   2.2. Additional products.

   2.3. Remote “Cloud” execution computing services.

It all point to Hardware and Cloud. it is not rare that all mayor companies are “moving to the cloud”.

This question depends a lot on who your clients are.

If you are selling business to business, it should be fairly easy to prevent competitors from even getting compiled code. The easiest way to deal with this kind of situation is with strong contractual wording. With IBM Cognos (major business intelligence product like SAP), a license key isn’t even used. They do somethings like code obfuscation but they, mostly protect their product with layers.

This is obviously harder with business to person type situations. You probably can’t control who has access to the software. The other posters have some good solutions with regards to this.

Whenever you want to protect something you have to think about which threads you want to defend against.

1. Do you have secrets that you want to protect?

2. Do you want to protect against software piracy by private
   individuals?

3. Do you want to protect a company from competition.

As far as 1. goes, if you have secrets post the software that deals with them on your own server and do SaaS.

As far as 2. goes, it’s probably not worth your while to invest into protection as the protection of all software gets broken.

As far as 3. goes the danger isn’t straight reverse engineering through code but someone reprogramming your idea. If you want to protect against that you would need to go the expensive road and buy patents.