php – protecting adobe air apps-ThrowExceptions

Exception or error:

I am about to deliver an Adobe AIR app to a customer.
But it’s my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.

Users of this app may or may not be online, so
can’t count on that. In fact it’s 99% sure that
they will be offline.

Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to “crack” it.

So, is there an okeish type of way to protect this
app. That is, I don’t want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.

Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.

How to solve:

protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.


If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.

If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it’s shared-hosting friendly.


You can not protect anything that’s webbased or javascript based, purely because there is complete sourcecode.

Anyone who knows how to use ‘right click’ could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn’t be possible, write a desktop app in a ‘real’ programming language.


When the app installs, I would do the following:

  1. Create a file in “app-storage” that basically indicates the app has been installed.
  2. Fire off a service call and make a record of the install
  3. Change a file in the app directory to indicate the app has been installed

On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in “app-storage” could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.

In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an “ironclad” approach probably isn’t even the best idea.


I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).

From what you’re saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.

Leave a Reply

Your email address will not be published. Required fields are marked *