Just about finished building my first photoshop plugin. So far everything works perfect. I had a question about adding a layer of security to a paid plugin besides JavaScript obfuscator. Do I need more security for a paid plugin in the marketplace to prevent plugin sharing? What do you use and is it easy to implement? Been reading the forum for the past two weeks and I am going in circles.
Plugin can easily be pirated if someone changes plugin ID in the manifest. I personally have the implementation of that ID check in the obfuscated part of the code.
Karmalakas Interesting, I didn’t know it could be done Could you show the code string to add.
Sorry, but I won’t share my code for my own plugins security reasons. Anyway, it’s a bit complex, so it would be more difficult to find strings in the obfuscated code. Just come up with your own ID check logic and add it somewhere at the beginning of the plugin load. If check fails, you can show some message and prevent plugin from functioning. That part will get obfuscated.
ok Thanks for the reply.
I have an idea that I am working on but had a few questions about how to do it for security sake.
Is there a way to listen for a click on a specific button in a webview from a panel?
Can that same button when clicked in a webview open a div in the panel?
Any ideas how to do this, if it can be done?
Think about as activating a plugin “div” from a page in webview.
Not sure I understand how this would help protect the plugin. Pirated plugin would still have the same webview with the same button, wouldn’t it?
Not if the page was a php page in the webview that only subscribers would have access to. Might be a little more challenging.
Are you saying, that after user has bought a plugin on marketplace, they still would need to subscribe to get it working? 
If I’m honest, I would just ask for a refund if after buying I would be greeted with some registration form.
Ok it’s confusing, a free to download plugin but you register it with an activation code they buy. When the code verifies then a button pops up in the webview that activates the open div and close div with webview. The serial number goes with the email login.
There is a problem with how this is “advertised” on Marketplace. It says Free or Free* so anyone can get the plugin. But then you ask them to pay and it does fail their expectation and they feel baited. Only users who acquired the plugin can rate it. In the case of free plugins that is everyone. So this is a recipe for a lot of bad reviews. Adobe should use Paid* instead of Free*
3 Likes
Forget the marketplace for a second, it’s just a concept for a security process. The real question is can you listen to a specific click in a webview to trigger a div to open and another one to close.
Yes with right set of several permissions in manifest and maybe the webview that should work. You should use postMessage to send message between UXP and Webview.
OK, so in such case there’s not much use of some additional security - IMO login is enough. Although credentials can be shared, so you should probably check how many users of the same email are at the same time. In such case you should disclose tracking of users
Thanks, postMessage could be the answer, I have to see how I can edit my script
The attacker could possibly spy on server communication and then set up their of fake server to provide a fake reply… or try to debug the plugin to see which boolean value/condition would unlock the interface and change it… So you could add timestamp into encrypted server reply so they would be able to record reply and just replay it every time. And you could also try plugin integrity check to see if the code was changed… but if you publish on Marketplace… I believe that this is done for you… but you have still to keep checking the plugin ID.
There is no real easy way to protect a plugin from not being pirated.
I haven’t been checking Photoshop for a while… but isn’t it pirated every year again and again? And that is an international billions dollar company with the world’s best brains… Most of the time it is mainly about how much time or money the is attacker willing to spend. So if the cracking of your protection would take more than 5-7 days …I guess you are fine 
Unless you have something very very good.
There is only so much you can do for security.
Hopefully we can get Martin (an Engineering Manager) to join this forum soon. Meanwhile, he passed along this method of adding another layer of security:
Our payment vendor FastSpring offers an extra layer of security to a paid plugin through license codes. When setup, purchasers will receive a unique license code in their receipt email to ensure your plugin is unlocked only by them.Use the following link to learn how to generate and upload a License Fulfillment (large list of unique license codes) for your new plugin.
Add a Fulfillment to your Product | FastSpring Classic Documentation
We recommend you submit your Plugin listing for Adobe as “Manually publish later” so that once approved by Adobe you can create the and upload the license codes through FastSpring before you publish your listing.For FastSpring questions about fulfillment codes: support@fastspring.com
Also note that you should create a large number of license codes because when they run out, you will have to contact Adobe to manually upload additional license codes. ccintrev@adobe.com
In that documentation there’s a POST method description, too.
1 Like