Skip to Content
avatar image
Former Member

Protecting source code

Hi,

I would like to ask if anyone knows of any reliable existing approaches for protecting ABAP source code?

As a supplier of 3rd party software, it is a concern that there is no protection over visibility, let alone maintenance of code (ie. READ/INSERT REPORT). This allows for intellectual property to be copied and server-based licensing mechanisms to be bypassed.

Alternatively, is anyone aware of moves by SAP to support this capability in the NetWeaver stack - given its hoped for wider audience in the development community?

I saw in a recent Business One presentation that it is not possible to access the source code, so perhaps the capability is already in NetWeaver, just not generally available?

Regards,

Scott

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Dec 15, 2003 at 06:55 PM

    I haven't played with it, but once I copied this from SAPFANS...none of them is an elegant solution...just a workaround:

    Incho

    "In SAP releases upto 4.6C you can place the special character sequence *@#@@[SAP] on the first line of an ABAP

    to hide the source code - it will still run and behave as normal. To bring the code back to visible you must upload it

    again from a file or put it into a Transport - release it, then edit the transport file and remove the character string.

    For 4.6C you can look at table: D010SINF This table includes a field SQLX. When this field is set to "X" the program

    source will not be viewable as for program: SAPMSYST."

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      On our 4.6C DEV box we have 112064 programs where D010SINF-SQLX = "X", including SAPMSYST. I can view the source code for most of them, but not for SAPMSYST.

      This may not be the proper solution for hiding the source code...

      Gabor

  • Dec 16, 2003 at 01:47 PM

    Sorry, there's no official support for protecting ABAP source code.

    The existing more or less dirty tricks to supress the visibility of the sources in the editor (some start sequence of special characters in the first line) are probably not what you are asking for, because it would be still possible to get the sources if you really want it.

    That the sources in other languages seem to be more protected is usually not an intended feature but the result that you usually distribute only the compiled binaries - with a lot of drawbacks on the other side.

    The ABAP sources of an SAP application are needed for technical reasons. It's not possible to ship just the binaries because recompilations are neccessary at the runtime, for example after installing support packages. Only the availability of the sources allow real remote support and the absolutely neccessary extensibilty by our customers. Practically every R/3 customer has at least some small changes in the code. An application consisting of only static binaries acting like a black box wouldn't be flexible enough to run real business applications.

    It would be possible, of course to build a framework around ABAP that allows shipping the sources in some encrypted format which is decrypted for rebuilding, remote support or extensions. But this requires that there's a decrypter in the system somehow, and some technology that prohibits the misuse of it. How can it be avoided that customers see the code when they want (realistic scenario) to make only small enhancements in all "interesting" parts of the software? Such a technolgy would increase the complexity and limit the flexibility.

    Last but not least stealing intelectual property by copying ABAP code hasn't been a big problem for SAP in the last decades. Maybe because <speculation> the typical ABAP coding reflects the standard business scenarious which are known anyway while more secret technical algorithms ( memory management, database access,...) are part of the kernel written in C. </speculation>.

    But I admit that this topic might be more serious for software partners and it is discussed internally. A discussion here about the importance is welcome!

    regards,

    Dirk

    BTW: Business One is not written in ABAP.

    Add comment
    10|10000 characters needed characters exceeded

    • Well, you cannot do it exactly the same way since you cannot implement any C functions in the kernel. But you might consider to ship an external RFC server program (where you are free to choose the development language of your choice) only as binary file (but then you'll have to support multiple platforms ...) and invoke RFC calls from ABAP to that external RFC server program.

      But you better make up your mind:

      do you want to make use of the platform-independence of Java and/or ABAP - where you have to accept that source code cannot be protected reliably. Or do you emphasize on protecting your source code (at all costs)? Well, in that case I'd suggest to host the application offering only web service-based access. Because even a compiled binary can be reverse-engineered. Every program you ship out can be analysed - it's just a matter of effort and smartness.

      Wolfgang

  • Dec 16, 2003 at 05:37 PM
    Add comment
    10|10000 characters needed characters exceeded