Skip to main content
A
AverinAAA
Inspiring
November 18, 2017
Answered

Secure panel distribution

  • November 18, 2017
  • 1 reply
  • 1290 views

I'm almost through writing my photoshop panel and started thinking on how can I make sure my panel is secure and can't be stolen without payment.

To solve the latter part I am doing authentication and plan to use photoshop storage to store some secure fields. This is probably not the ultimate solution, but should scare off some of the impromptu-hackers.

The main problem I have now is that panel is still distributed as plain files with code and html. So technically anybody could modify them, read, learn about my secure variables and then make a "fix" to avoid authentication.

How can I ensure that my code is safe and users can't read it?

I can't distribute via Marketplace because most of my audience is on Photographer Plan that doesn't give access to Marketplace.

This topic has been closed for replies.
Correct answer Davide_Barranca12040269

Hi,

I wouldn't advise using PS storage (either CEP localStorage, or PS registry): local storage is easily purged, and PS registry gets restored to a pristine state when Preferences are reset. A good old hidden file in the filesystem – even better if encrypted – is preferable IMHO.

Speaking instead about obfuscation, you can use JSXBIN followed by JsxBlind by Marc Autret (see Indiscripts :: JsxBlind's New Version for ExtendScript Developers) for the scripting code. On the JS side, there are several free and paid alternatives – among them JavaScript Obfuscator Tool and https://javascriptobfuscator.com/ These will make as hard as it gets the job for those willing to reverse engineer your code.

Hope this helps,

Davide

1 reply

Davide_Barranca12040269
Davide_Barranca12040269Correct answer
Legend
November 20, 2017

Hi,

I wouldn't advise using PS storage (either CEP localStorage, or PS registry): local storage is easily purged, and PS registry gets restored to a pristine state when Preferences are reset. A good old hidden file in the filesystem – even better if encrypted – is preferable IMHO.

Speaking instead about obfuscation, you can use JSXBIN followed by JsxBlind by Marc Autret (see Indiscripts :: JsxBlind's New Version for ExtendScript Developers) for the scripting code. On the JS side, there are several free and paid alternatives – among them JavaScript Obfuscator Tool and https://javascriptobfuscator.com/ These will make as hard as it gets the job for those willing to reverse engineer your code.

Hope this helps,

Davide

Davide Barranca - PS developer and authorwww.ps-scripting.com
A
AverinAAAAuthor
Inspiring
November 22, 2017

As long as it's not easily possible to read and modify what is inside PS registry (I am using setCustomOptions method) it should be fine – user has to authenticate panel before first use and it's what is saved to registry, so cleaning the registry will require user to authenticate again.

I'll take a look into scripts, but the main problem is that keys for PS registry properties (or hidden file, even, unless it's something really elaborate) will have to be in raw strings, so even with code obfuscation it should be possible to figure them out. And then write a separate script that will be hacking mine, or anybody elses.

Does Adobe allow some secure packed archive for panels instead of RAW unpacked folder? I'm pretty sure that Marketplace-distributed extensions are not put to extensions folder in RAW unpacked format. Also, all this signing routine that we have to do, what is it for if I am not distributing via Marketplace?

Davide_Barranca12040269
Davide_Barranca12040269
Legend
November 22, 2017

Hi,

if you obfuscate your code (for instance as I've sugged), that would prevent prying eyes from successfully reverse engineer your protection – whatever you decide to use.

Adobe doesn't allow secured archives – the ZXP that is downloaded in background via Adobe Add-ons website, and deployed via CC app, result in the same set of folders and files that you'd distribute yourself. The only difference is that you cannot unzip the ZXP because it's encrypted with some CC user based key, but the resulting folder is plain readable (unless you obfuscate it).

Davide Barranca - PS developer and authorwww.ps-scripting.com
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices