Hello!
I would like for end users to install the UXP plugin I am developing by running custom installers that I develop for Windows and macOS.
What is the best way to package the UXP code and all its dependencies so that the end user avoids seeing any of the plugin’s code? Is there a best practice for obfuscating / encrypting / packing the code for installation by any user?
Thanks,
Arie
Read through this topic
Or try searching for “obfuscate”/“obfuscator”
Having core logic in a hybrid plugin would work the best. Reversing compiled C++ code is also possible, but much harder than in JS. It can be done in Photoshop, but not all host apps might support hybrid plugins. More secure to put logic on your server, but that is not always possible or practical.
Also… one of my client asked me for extra layers of obfuscation. I told him if hacker has big enough incentive they will crack it anyway if they spend enough time with it. So I placed extra protection into plugin and then we watched warez forum where hackers strugled to crack it properly for weeks 
eventualy they did managed to bypass it …but they did not even removed telemetry… so it kept sending diagnostic data about all users who pirated that.
@Jarda That is a funny story about the telemetry issue even after the hacking. They were probably high-fiving each other after they cracked it without even thinking of that.
It’s too bad there is no way to just make it into some kind of binary format.
Some of our app’s logic will of course be on the server, but not all of it of course, not even all of the core logic — it is impractical for many reasons as you state. Many studios airlock / seal / firewall their environments so that applications are unable to reach the wider internet.
See your app on warez sites is definitely a sign that you have delivered real value!
Thank you for the suggestions and guidance.
@Karmalakas Thanks for that — yes, I read that entire thread. I figured it’s just some obfuscation that will be all we can do.
There was more fun to that… because plugin checked its own integrity they weren’t able to modify it for few weeks. So they came up with a solution to start Apache server and redirect communication to it. So they asked users to edit hosts file, it worked on windows, they had to install Apache server and run it before each plugin use Of course it was problematic and non-ergonomic and worked on Windows only. And people were complaining about hack not working. Some hackers even suggested they can connect to computer of that person to debug hack
Meanwhile, other pirates started selling that hack for about 5% of the original plugin price. Then they improved hack and told others to buy their hack instead of the first one, and felt offended when someone was giving hack for free . Originally, it was placed on a file-sharing website I never heard before which looked lame to me. And of course you had to pay to download file. Which I refused
Long story short… if you have network authentification make some encryption against reply attack. So none of the network messages could be used twice, even if encrypted.
What I did for different client was to use C++ and open source cryptography library and I encrypted JS file. Decryption and authentification is fully in C++ and then it gets loaded into memory (still minified and obfuscated) without storying anything on harddrive. C++ can also detect ports and active processed so if you could detect UXP debugger you could kill Photoshop process. But that is kind of invasive and I am not saying that is something you should do. If not done right, developers would need to uninstall your plugin before debuging their own.
Watching thieves get into a fight over which crack is better is astoundingly funny. 
Talk about real karma!
Thank you again for the suggestions, I will definitely consider them!
Nothing is uncrackable, but layers of complexity makes things harder to crack. Hackers love complexity as challenge as it is usually what they are looking for, the dopamine rush of cracking it, so the harder it is the more exciting it is. There are crackers who do it just for fun and others that they do it as a “side-income” and sell pirated software, but some of them are very determined and they will dig until the last drop of code.
Code rotation, obfuscation and traps inside the code is what makes this fun not only for them, for us.
As @Jarda mentioned, is fun to see crackers struggling in forums.
Is not a battle, is a game. They crack, we learn new security layers. They can’t crack something and we learn new security layer. Sometimes cracking is not bad for us, it teaches us our vulnerabilities as developers and boosts our security if we are whiling to learn, it can be fun when you get used to!
If your plugin is good, people will pay for it. People who doesn’t pay for it is people who won’t ever buy it, they cannot afford it, so they are not your clients. So it doesn’t matter if they use a pirated version, piracy does something good for software: EXPOSURE.
So if your software is being pirated, it means is good and you are a creative software engineer, security is another topic, but you did a great product that everyone wants though, and that is cool.
Monetary side, well yeah, if feels like it affects but in the end, who’s gonna pay for it is gonna pay, even if there’s a pirated version out there.
So obfuscate as much as possible, put some traps for hackers inside the plugin, you’ll start to see the fun inside this world.