Select to view content in your preferred language

How to secure arcpy-based Python toolbox solutions as a pyd

4252
4
10-05-2015 03:58 PM
JohnDye
Deactivated User

I want to secure some sensitive business logic used in a Python toolbox tool.

Python toolboxes are inherently insecure. Any one who is even semi-curious can figure out how to open one and view the source code and there seems to be no good way to secure that source code and nothing on the horizon from Esri that will facilitate it in the future. Sure I could use a regular old Script tool but you know, who would want to go back to a script tool when there's Python toolboxes? One could also just compile the source to a .pyc and ship that instead of the raw .py file but that can easily be decompiled by anyone who is capable of googling.

One thing I'm wondering is whether it would be possible to install Cython alongside the Python distro that ships with ArcGIS, build the arcpy-based solution and then just call the needed functions out of the resulting .pyd file. What I don't know is whether or not this is possble to do this with solutions that include arcpy-based functions and if so, how? Does anyone have any experience with this or even securing source code used in a Python toolbox

UPDATE:

Thanks to everyone for your replies. I agree that the open nature of a pyt has it's advantages. I also agree that if someone really wants to get to the source and is thoroughly determined, there's no stopping them.

I don't necessarily think that when you're in a business environment, the latter fact should negate responsibility on a developer working with sensitive IP to implement some safeguards and obstacles for an adversary to overcome.

If you're running an orchard, just because someone who really wants your apples could probably pick them off without much effort doesn't mean you should leave the ladders leaning next to the trees.

0 Kudos
4 Replies
DanPatterson_Retired
MVP Emeritus

Copyright, Publishing (first) and Licensing are your only protections against infringement of use of content, idea or tangeables. As you are probably aware, securing code is largely a futile task ... hence, lawyers ... if it is that valuable.

curtvprice
MVP Esteemed Contributor

One big purpose of a pyt is it's more open!

I agree (and so do these folks over at StackExchange) that it won't gain you much and may not be worth the trouble. It also makes your code difficult to debug!

Distributing a pyc file would probably avoid most issues. You could perhaps reverse engineer some of the code, but it would be awfully hard to understand after doing so.

Luke_Pinner
MVP Regular Contributor

The easiest way to secure a python toolbox is publish it as a geoprocessing service with ArcGIS Server.

FreddieGibson
Honored Contributor

I think this may help point you in the right direction if you want to obfuscate your code.

How do I protect python code

http://stackoverflow.com/questions/261638/how-do-i-protect-python-code

I would agree with most of the people on the above discussion that python is just a language that wasn't truly designed to be obfuscated. Typically if I need to hide some logic from a user I write my code in .NET/Java ArcObjects, but I've never needed to truly lock anything down.