Secure panel distribution

Report · Nov 17, 2017

I'm almost through writing my photoshop panel and started thinking on how can I make sure my panel is secure and can't be stolen without payment.

To solve the latter part I am doing authentication and plan to use photoshop storage to store some secure fields. This is probably not the ultimate solution, but should scare off some of the impromptu-hackers.

The main problem I have now is that panel is still distributed as plain files with code and html. So technically anybody could modify them, read, learn about my secure variables and then make a "fix" to avoid authentication.

How can I ensure that my code is safe and users can't read it?

I can't distribute via Marketplace because most of my audience is on Photographer Plan that doesn't give access to Marketplace.

Report · Nov 20, 2017

Hi,

I wouldn't advise using PS storage (either CEP localStorage, or PS registry): local storage is easily purged, and PS registry gets restored to a pristine state when Preferences are reset. A good old hidden file in the filesystem – even better if encrypted – is preferable IMHO.

Speaking instead about obfuscation, you can use JSXBIN followed by JsxBlind by Marc Autret (see Indiscripts :: JsxBlind's New Version for ExtendScript Developers) for the scripting code. On the JS side, there are several free and paid alternatives – among them JavaScript Obfuscator Tool and https://javascriptobfuscator.com/ These will make as hard as it gets the job for those willing to reverse engineer your code.

Hope this helps,

Davide

Davide Barranca - PS developer and author
www.ps-scripting.com

Report · Nov 21, 2017

As long as it's not easily possible to read and modify what is inside PS registry (I am using setCustomOptions method) it should be fine – user has to authenticate panel before first use and it's what is saved to registry, so cleaning the registry will require user to authenticate again.

I'll take a look into scripts, but the main problem is that keys for PS registry properties (or hidden file, even, unless it's something really elaborate) will have to be in raw strings, so even with code obfuscation it should be possible to figure them out. And then write a separate script that will be hacking mine, or anybody elses.

Does Adobe allow some secure packed archive for panels instead of RAW unpacked folder? I'm pretty sure that Marketplace-distributed extensions are not put to extensions folder in RAW unpacked format. Also, all this signing routine that we have to do, what is it for if I am not distributing via Marketplace?

Report · Nov 22, 2017

Hi,

if you obfuscate your code (for instance as I've sugged), that would prevent prying eyes from successfully reverse engineer your protection – whatever you decide to use.

Adobe doesn't allow secured archives – the ZXP that is downloaded in background via Adobe Add-ons website, and deployed via CC app, result in the same set of folders and files that you'd distribute yourself. The only difference is that you cannot unzip the ZXP because it's encrypted with some CC user based key, but the resulting folder is plain readable (unless you obfuscate it).

Davide Barranca - PS developer and author
www.ps-scripting.com

Report · Dec 22, 2017

Just to add a bit more info.

I have used this small lib GitHub - runegan/jsxbin: Convert jsx ExtendScript files into jsxbin files using ExtendScript Toolkit

and wrote a script to build my panel with following logic:
1. clean build folder2. copy panel to build folder as it is

3. remove all jsx files from build folder

4. run jsxbin putting results into appropriate part in build folder

5. rename jsxbin to jsx

6. sign panel

Didn't yet apply jsxblind – I think it wasn't running for me or something, will spend more time on it later

Secure panel distribution

1 Correct answer