Skip to main content

Notifications

Announcements

No record found.

Small and medium business | Business Central, N...
Suggested answer

Source Code Security for AppSource Apps

(1) ShareShare
ReportReport
Posted on by 815
Hi Experts,

I already know the process of protecting the source code for on-premise use by utilizing runtime packages. However, my question pertains to safeguarding my source code from appsource extensions. I am aware that signing the app using a code signing certificate and employing resource exposure policies are viable options. Nevertheless, it is still possible for the app file to be extracted, and the source code accessed using tools like WinRAR or Zip. Can anyone suggest additional measures I might be overlooking apart from these?
 
/resourceExposurePolicy/: {
    /allowDebugging/: false,
    /allowDownloadingSource/: false,
    /includeSourceInSymbolFile/: false
  }
  • Tech-Lucky Profile Picture
    Tech-Lucky 815 on at
    Source Code Security for AppSource Apps
     
    I did the same with my app and it was having AL files as well that's why I wonder if I missed something.
    But thanks for your support I will Try again may be this is something related to my codesigning.  
  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 76,095 Super User 2024 Season 2 on at
    Source Code Security for AppSource Apps
    Hi, I don’t know if you have tested it. Generally, as you mentioned, partners basically have the following settings.
        /allowDebugging/: false,
        /allowDownloadingSource/: false,
        /includeSourceInSymbolFile/: false
     
    So this doesn't work either.
    For example, I randomly downloaded a free app. Add the dependencies attribute and download the symbol file.
     
    You can decompress this file, but you will get some xml files below and you cannot see the al file.
     
     
    If it could be copied so easily, I don't think any partner would choose to put the apps on AppSource.
     
    Thanks.
    ZHU
  • Tech-Lucky Profile Picture
    Tech-Lucky 815 on at
    Source Code Security for AppSource Apps
     
    I know users can't download it, but a partner can use my app as dependency and download it as a symbol then it should not be extracted. 
  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 76,095 Super User 2024 Season 2 on at
    Source Code Security for AppSource Apps
    Hi, For SaaS customers, those who have installed your AppSource application cannot download it on the extension management, and users cannot directly obtain the app file, so users cannot decompress it.
     
    For On-Pre customers, you can send them Runtime Packages, which cannot be decompressed.
    More details: Runtime Packages for Dynamics 365 Business Central On-Premises (Protect the intellectual property represented by your AL source code)
    https://yzhums.com/17327/
     
     
    Hope this can give you some hints.
    Thanks.
    ZHU
  • Tech-Lucky Profile Picture
    Tech-Lucky 815 on at
    Source Code Security for AppSource Apps
     
    I attempted to set applyToDevExtension to false as well, but that also did not work.
    Let me clarify my issue once again: I am encountering the same validation error while downloading the source code from the extension management page, as
    Mohamed Amine Mahmoudi  shared in the screenshots. However, the problem persists when I receive the AppFile as Symbols in .alpackages; I am still able to extract that app file using WinRAR software, and all the source code remains exportable.
     
  • Suggested answer
    Javier.Armesto Profile Picture
    Javier.Armesto 14 User Group Leader on at
    Source Code Security for AppSource Apps
    With this configuration, your IP must be protected. In addition, you must have careful with this https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection#when-can-code-be-viewed-even-though-the-allowdebugging-flag-is-set-to-false 
    More information here: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection#the-properties-of-the-resource-exposure-policy:
  • Suggested answer
    Mohamed Amine Mahmoudi Profile Picture
    Mohamed Amine Mahmoudi 11,290 Super User 2024 Season 2 on at
    Source Code Security for AppSource Apps
    Hi @Tech-Lucky,
     
    I think you did the right thing because you put in the right properties. 
    to be sure try to install the app in another environment then redo the download 
    it's true you can show the button Download Source enabled.
     
    but when clicked you have this error message
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Congratulations 2024 Spotlight Honorees

Kudos to all of our 2024 community stars! 🎉

Meet the Top 10 leaders for December

Congratulations to our December super stars! 🥳

Start Your Super User Journey Pt 2

Join the ranks of our community heros! 🦹

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,861 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,540 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans