Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Protection of our ABAP and JAVA code

Former Member
0 Kudos

Dear all,

We are sap partner, and we develop the REFX add-on.

Now we have a first client and we want to protect our ABAP and JAVA code.

Is it possible to do this?

We would like to achieve:

When any customer activates our code then somehow we have to

activate/track it to track number of activation.

Any help will be good.

7 REPLIES 7

Former Member
0 Kudos

Hi,

I don't know for Java but for ABAP, I think the only possible protection is the signed contract between you and your customer.

Any technical measure will be possible to be deactivated because it runs on the customer's system where you can't prevent the customer to use the debugger.

We just had the case with one of our consultancy partner which installed its abap utilities on our ECC6 system and when we discovered that the abap source code was protected, told us that it was necessary to protect their exclusive technology.

I hated the fact to have unknown abap source code running on our production ECC6 system in the near future. So I had a look on the developement system and with the help of the debugger it took us half an hour to find the user-exit in SE38 and to deactivate it... So much for source code protection....

If the vendor does not trust its customer why should the customer trust the source code of its vendor ?

Regards,

Olivier

0 Kudos

Completely agree with you, particularly if they do not tell you that there are hidden routines in the code.

I have on a few occasions also had fun breaking them open and then holding them to randsom about the contents - which are not always kosher...

Sending mails "back home" is one such example.

Good code also comes with good config and support and cool new features with upgrades - trusted (and happy) customers want to pay for that support if the software adds value.

SAP can also be broken, but you won't get very far with it and good luck supporting it...

Cheers,

Julius

martin_voros
Active Contributor
0 Kudos

Hi,

usually languages running on top of vm (both Java and ABAP are running on top of vm) are easier to reverse engineer. But there are some obfuscators for Java. I know that it has some impact on things which you can use so you have to be careful with your code. ABAP is a pretty closed platform controlled by SAP so I don't know about any obfuscators for ABAP.

Personally, I believe in open source and that's of the reasons why like ABAP. You can always check code for security or any other issues. I know that it can be really hard in SAP space for small vendor but I think your business should not rely on hiding your code. It should rely on providing value to your customers.

Cheers

Former Member
0 Kudos

Hi,

one rather common approach is to call a routine like

lv_active = THIS_SOFTWARE=>ACTIVE( ).

IF lv_active is initial. return. endif.

This check should be done at any starting point of programmes/modules.

The routine THIS_SOFTWARE=>ACTIVE( ) itself contains hidden code and reads information or code that was inserted by typing in a license key.

Only the code to store licence-key information and the check routine is hidden. This should be used for any of your SAP products and therefore has to be created only once.

The rest of the code should remain visible for quality checks of your customers - as the original system is your sys any change would be a modification. You may want to make sure in the contract that those are not allowed without your permission.

Some customers may still ask for a formal confirmation or even an external audit confirming that the hidden code does not include any harmfull code.

Note: Hidden code is neither editable or visible in the Debugger. It has to be stored locally (for each version). On changes it has to be fetched from local store changed and hidden again. So you want to be carefull with this! Bestthing is to store a visible copy - you have to use a programme since 4.6 or 4.7 to hide code anyway,

Kind regards,

hp

Edited by: Holger Pakirnus on Sep 7, 2011 6:44 PM

0 Kudos

That would be very easy to comment out using the modification assistant.

Even if the routine has export parameters which the program needs to run, you can catch them in the debugging tools and then hardcode them.

With a relatively small effort you can break open hidden includes or reverse engineer them.

An external server program which returns parts of the program would alo need an import interface for it, which might be a hazard in itself or make the program unstable for those who did you the license.

You cannot realistically protect IP in ABAP.

What you can do is provide very good support and cool features in updates and ensure that the trust basis has a hard enough penalty in the contract if breached.

Most companies I know will anyway not install anything without a software contract to protect them.

Cheers,

Julius

0 Kudos

"That would be very easy to comment out using the modification assistant.

Even if the routine has export parameters which the program needs to run, you can catch them in the debugging tools and then hardcode them."

- true. Private people might do this. The vast majority of companys won't go that far. And no decent programmer as well. Most of us are bound to compliance rules strictly.

With a relatively small effort you can break open hidden includes or reverse engineer them.

- well, reverse engeneering is possible. But how to break up hidden includes? I found no way till today except uncompressing transport files (and that is NOT small effort).

Kind regards,

hp

0 Kudos

My point was that if someone is determined, then they usually will.

The "cost" of "breaking" trust is IMO more than the "benefit" of hidding something.

Besides, the @@.. trick is not supported nor documented and may well be removed from the ABAP keywords without notice...

Cheers,

Julius