Joined: 22 Jun 2020
|Posted: Mon Jun 22, 2020 11:42 am Post subject: Potential New Customer - How do you rate IonCube?
I have been looking around for a mechanism to protect my php source code; up until this point I have not needed to do this so this is my first venture into this area. Obviously I like to do my research as this potentially could cost me a lot of money.
So I have a couple of questions that I tried to direct in an email a few weeks ago here but maybe the forums are the place to get some decent answers. Unfortunately this maybe a long post.
Firstly how good is ion cube, both on performance and security perspectives and also with keeping upto date with the latest php releases.
I have a few concerns in each of these areas.
1. Keeping up with latest php releases
I am currently developing for php 7.4 with a view to keeping my code ready to go for php 8. I maintain the servers the code runs on so I do not need to worry about legacy systems however I can see that ioncube does not support this version yet even though it came out on 28 November 2019 (207 days as of this post). This is a long time to wait for a supported release. I can see php 8 is estimated for release on 26 November, 2020 so if I buy ioncube now will it support php 8 or will I need to pay for an upgrade? How much will this cost? That is if support for 7.4 even comes out before php 8 release.
2. How will php 8 JIT compiler impact securing php source code
3. How secure is your source code after it is converted into bytecode. Is it possible to obtain the original source code?
Looking around to see if anywhere is offering to crack ioncube or reverse engineer files back to source; I can see several people offering these services for a small fee. This tells me that it isn't as secure as advertised. Obviously I wont post the links here
I also found a research paper entitled "Security Analysis of PHP Bytecode Protection Mechanisms" by Dario Weißer, Johannes Dahse , and Thorsten Holz that talks about
reverse engineering method that they used to do this.
4. I can see cracks attacking the ioncube loader to circumvent the licensed domain/ip/mac lock dated 2016
So can the bytecode protection offered be circumvented to obtain the source code? Have there every been cases that this has been done? How good is this product?