Hi, I’m currently building a UXP plugin. How can I secure it so that users cannot access or view the source code? Are there any approaches besides code obfuscation?
It essentially comes down to which aspects you want to hide.
If you wanted to hide business logic, you could move that to either a backend (which you access in the plugin through an API using fetch()), or potentially a compiled web assembly package.
The thing is that, as long as you are in the realm of interpreted languages (such as JavaScript), while you are able to obfuscate the code (as you already mentioned), the (potentially obfuscated) code will always have to be stored in memory at some point (this is a bit oversimplified, but for the scope of this question, it works). So even if you had a mechanism where your plugin package was encrypted, there would be a potential option to read the code from memory during plugin execution.
It is essentially impossible to do this with plain UXP, specifically if you do not want/intend to have an online/connected service requirement (i.e. if the plugin should work “offline”). Anything written in javascript and deployed to a local system is essentially “open source”.
If you have certain algorithms you want to protect you could write those in C++ and create a hybrid plugin, or go the extra mile and ditch UXP in favor for full native InDesign C++ plugins using the InDesign SDK. That in of itself might not be good enough (LLMs can reverse engineer those as well), but with C++ you have more options in regards to deeper obfuscation, string encryption etc If you want to go even further you can go to full on encryption/decryption with a dongle.
If reliance on an external (off system) Service is an option then just move all code that you want to protect there and just use UXP just for UI+DOM and communicate with an API to the backend for the business logic.
Thank you for replying . But does indesign support hybrid plugins ?
We can not move to server side logic . Does this mean we can not make a commercial plugins ?
Anyone can by it and deobfuscate the code and never buy it again
Does this mean we can not make a commercial plugins ?
Sure you can make commercial plugins, many people and companies do…
Anyone can by it and deobfuscate the code and never buy it again
Anyone theoretically could - but 99% of people won’t, which is an important difference. The vast majority of Adobe users are creative professionals, not coders
- They have better things to do with their time
- They don’t care
- They are not (that) technically inclined
- They don’t want to deal with the legal mess
My take: The best way to protect your products is through good customer support, license contracts and where necessary, legal means, not technical measures…
you are right about the that not all people know tech stuff
if they have two options 1) our legal plugin they pay for it
- someone has cracked it or deobfuscated then rebuild it using ai ( it is easy nowadays ) . Share it for free why will they choose the paid option
Nearly ALL software, music, movies etc you can imagine has been “cracked” and is shared for “free” as we speak. Yet, the vast majority of people and especially businesses, wisely choose not do use pirated (and illegal) software. There is no difference with your commercial plugin in that regard. If you offer a good product and premium support, (most) people will be willing to pay for it rather than going down a shady rabbit hole.
To be honest, the market for commercial plugins for InDesign is not that big to begin with, unless you’re targeting specific use-cases for specific clients, in which case proper contracts with copyright and terms of use would typically be more than sufficient.
Thanks for your help . Appreciate it