How to protect a module source code so that others cannot open?

Dear OutSystems community,

I developed an OutSystems app and wants to protect its source code.I want unauthorized developer see the below message in service studio IDE: 


My question:

1. How to achieve this in my client's OutSystems tenant? I developed the app and wants to install in their tenant but I dont want them to be able to open and edit.

2. Is it possible to achieve this within my own tenant? If I hire a contractor to work on module A, and module A is depend on module B, I want the contractor to be able to use exposed methods from module B but unable to open the entire source code.


Thanks for your help.

Regards,

George

Hi George,

As far as I know, this isn't possible. Features like IPP can help you ensure that the module is only installed and used on a specific environment, and you can also use permissions within Service Center in order to block module access to specific developer accounts, but there's nothing that will allow you to prevent everyone in an environment from opening your module.

I believe that the moment you upload it to the OutSystems environment, anyone with database access can query the Espace_Version entity and download the binary for your module.

My recommendation is to not rely on source code secrecy or obfuscation - the moment you create something within an environment, assume that anyone that has access to that environment can (with more or less effort) open and view the contents of your module.

Hi Afonso,


Thanks for the reply. I am participating an Outsystems EAP program and for some modules I received from Outsystems, even I published to my tenant, I could not open in Service Studio. I get the error message like the screenshot I uploaded in my original post. Hence, I believe there is a way that I could publish my application to my client's tenant but prevent them opening my apps so that I can protect my IP.


On the other hand, I am also looking for a way that to secure certain apps in my own tenant and prevent contractors to open it. My use case is that I have an API only module already. I want to hire a contractor to work on the UI module. He will be able to use the exposed server/service action in the UI module but not have the permission to open the API module.


Regards,

George Qiao

Solution

OutSystems can indeed protect access to their own developed modules - Service Center is itself an OutSystems application, and there's no way to legitimately open it as a module. But whatever mechanism is used is not available to the general public.

This is why I don't think it's possible to protect modules once they leave your environment - but this changes if you control the environment.

For your second case, you can secure your applications and make it so that your contractors only have reference permissions for specific modules - this way they can consume logic/UI from a module, but not open/change/publish it. 

When you open Service Center, find the Administration tab, and open the Users list. You'll see something like this - it's a screenshot of the personal enviroment, but the enterprise environment should look similar:

By selecting the espaces tab, you can give finegrain permissions of specific modules to certain users. You can make it so your contractors can only reference your protected module.

Note that while this might be enough, it is still important to protect other points of entry. If the contractor has direct access to your database or can access the Espace_Version table, it is still possible to download a binary for your module.

Solution

Thanks very much, Afonso. This really helps. 

Regards,

George Qiao