Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / Source Code Security f...
Small and medium business | Business Central, N...
Suggested answer

Source Code Security for AppSource Apps

(1) ShareShare
ReportReport
Posted on by Tech-Lucky 822
Hi Experts,

I already know the process of protecting the source code for on-premise use by utilizing runtime packages. However, my question pertains to safeguarding my source code from appsource extensions. I am aware that signing the app using a code signing certificate and employing resource exposure policies are viable options. Nevertheless, it is still possible for the app file to be extracted, and the source code accessed using tools like WinRAR or Zip. Can anyone suggest additional measures I might be overlooking apart from these?
 
/resourceExposurePolicy/: {
    /allowDebugging/: false,
    /allowDownloadingSource/: false,
    /includeSourceInSymbolFile/: false
  }
Categories:
Dynamics 365 Business Central
  • Tech-Lucky Profile Picture
    Tech-Lucky 822 on at
    Source Code Security for AppSource Apps
     
    I did the same with my app and it was having AL files as well that's why I wonder if I missed something.
    But thanks for your support I will Try again may be this is something related to my codesigning.  
  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 78,034 Super User 2025 Season 1 on at
    Source Code Security for AppSource Apps
    Hi, I don’t know if you have tested it. Generally, as you mentioned, partners basically have the following settings.
        /allowDebugging/: false,
        /allowDownloadingSource/: false,
        /includeSourceInSymbolFile/: false
     
    So this doesn't work either.
    For example, I randomly downloaded a free app. Add the dependencies attribute and download the symbol file.
     
    You can decompress this file, but you will get some xml files below and you cannot see the al file.
     
     
    If it could be copied so easily, I don't think any partner would choose to put the apps on AppSource.
     
    Thanks.
    ZHU
  • Tech-Lucky Profile Picture
    Tech-Lucky 822 on at
    Source Code Security for AppSource Apps
     
    I know users can't download it, but a partner can use my app as dependency and download it as a symbol then it should not be extracted. 
  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 78,034 Super User 2025 Season 1 on at
    Source Code Security for AppSource Apps
    Hi, For SaaS customers, those who have installed your AppSource application cannot download it on the extension management, and users cannot directly obtain the app file, so users cannot decompress it.
     
    For On-Pre customers, you can send them Runtime Packages, which cannot be decompressed.
    More details: Runtime Packages for Dynamics 365 Business Central On-Premises (Protect the intellectual property represented by your AL source code)
    https://yzhums.com/17327/
     
     
    Hope this can give you some hints.
    Thanks.
    ZHU
  • Tech-Lucky Profile Picture
    Tech-Lucky 822 on at
    Source Code Security for AppSource Apps
     
    I attempted to set applyToDevExtension to false as well, but that also did not work.
    Let me clarify my issue once again: I am encountering the same validation error while downloading the source code from the extension management page, as     Mohamed Amine Mahmoudi  shared in the screenshots. However, the problem persists when I receive the AppFile as Symbols in .alpackages; I am still able to extract that app file using WinRAR software, and all the source code remains exportable.
     
  • Suggested answer
    Javier.Armesto Profile Picture
    Javier.Armesto 14 User Group Leader on at
    Source Code Security for AppSource Apps
    With this configuration, your IP must be protected. In addition, you must have careful with this https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection#when-can-code-be-viewed-even-though-the-allowdebugging-flag-is-set-to-false 
    More information here: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection#the-properties-of-the-resource-exposure-policy:
  • Suggested answer
    Mohamed Amine Mahmoudi Profile Picture
    Mohamed Amine Mahmoudi 15,816 Super User 2025 Season 1 on at
    Source Code Security for AppSource Apps
    Hi @Tech-Lucky,
     
    I think you did the right thing because you put in the right properties. 
    to be sure try to install the app in another environment then redo the download 
    it's true you can show the button Download Source enabled.
     
    but when clicked you have this error message
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Daivat Vartak – Community Spotlight

We are honored to recognize Daivat Vartak as our March 2025 Community…

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Kudos to the February Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 292,516 Super User 2025 Season 1

#2
Martin Dráb Profile Picture

Martin Dráb 231,436 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans