web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / Source Code Security f...
Small and medium business | Business Central, N...
Suggested answer

Source Code Security for AppSource Apps

(1) ShareShare
ReportReport
Posted on by Tech-Lucky 1,261 Super User 2025 Season 2
Hi Experts,

I already know the process of protecting the source code for on-premise use by utilizing runtime packages. However, my question pertains to safeguarding my source code from appsource extensions. I am aware that signing the app using a code signing certificate and employing resource exposure policies are viable options. Nevertheless, it is still possible for the app file to be extracted, and the source code accessed using tools like WinRAR or Zip. Can anyone suggest additional measures I might be overlooking apart from these?
 
/resourceExposurePolicy/: {
    /allowDebugging/: false,
    /allowDownloadingSource/: false,
    /includeSourceInSymbolFile/: false
  }
Categories:
Dynamics 365 Business Central
I have the same question (0)
  • Suggested answer
    Mohamed Amine Mahmoudi Profile Picture
    Mohamed Amine Mahmoudi 26,348 Super User 2025 Season 2 on at
    Source Code Security for AppSource Apps
    Hi @Tech-Lucky,
     
    I think you did the right thing because you put in the right properties. 
    to be sure try to install the app in another environment then redo the download 
    it's true you can show the button Download Source enabled.
     
    but when clicked you have this error message
     
  • Suggested answer
    Javier.Armesto Profile Picture
    Javier.Armesto 14 User Group Leader on at
    Source Code Security for AppSource Apps
    With this configuration, your IP must be protected. In addition, you must have careful with this https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection#when-can-code-be-viewed-even-though-the-allowdebugging-flag-is-set-to-false 
    More information here: https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-security-settings-and-ip-protection#the-properties-of-the-resource-exposure-policy:
  • Tech-Lucky Profile Picture
    Tech-Lucky 1,261 Super User 2025 Season 2 on at
    Source Code Security for AppSource Apps
     
    I attempted to set applyToDevExtension to false as well, but that also did not work.
    Let me clarify my issue once again: I am encountering the same validation error while downloading the source code from the extension management page, as     Mohamed Amine Mahmoudi  shared in the screenshots. However, the problem persists when I receive the AppFile as Symbols in .alpackages; I am still able to extract that app file using WinRAR software, and all the source code remains exportable.
     
  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 93,317 Super User 2025 Season 2 on at
    Source Code Security for AppSource Apps
    Hi, For SaaS customers, those who have installed your AppSource application cannot download it on the extension management, and users cannot directly obtain the app file, so users cannot decompress it.
     
    For On-Pre customers, you can send them Runtime Packages, which cannot be decompressed.
    More details: Runtime Packages for Dynamics 365 Business Central On-Premises (Protect the intellectual property represented by your AL source code)
    https://yzhums.com/17327/
     
     
    Hope this can give you some hints.
    Thanks.
    ZHU
  • Tech-Lucky Profile Picture
    Tech-Lucky 1,261 Super User 2025 Season 2 on at
    Source Code Security for AppSource Apps
     
    I know users can't download it, but a partner can use my app as dependency and download it as a symbol then it should not be extracted. 
  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 93,317 Super User 2025 Season 2 on at
    Source Code Security for AppSource Apps
    Hi, I don’t know if you have tested it. Generally, as you mentioned, partners basically have the following settings.
        /allowDebugging/: false,
        /allowDownloadingSource/: false,
        /includeSourceInSymbolFile/: false
     
    So this doesn't work either.
    For example, I randomly downloaded a free app. Add the dependencies attribute and download the symbol file.
     
    You can decompress this file, but you will get some xml files below and you cannot see the al file.
     
     
    If it could be copied so easily, I don't think any partner would choose to put the apps on AppSource.
     
    Thanks.
    ZHU
  • Tech-Lucky Profile Picture
    Tech-Lucky 1,261 Super User 2025 Season 2 on at
    Source Code Security for AppSource Apps
     
    I did the same with my app and it was having AL files as well that's why I wonder if I missed something.
    But thanks for your support I will Try again may be this is something related to my codesigning.  

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
Rishabh Kanaskar Profile Picture

Rishabh Kanaskar 2,762

#2
Sumit Singh Profile Picture

Sumit Singh 2,573

#3
YUN ZHU Profile Picture

YUN ZHU 1,930 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans