How encrypted module are proctected?

I was wondering how protected module are ?

are they saved in like an encrypted file like aes256 strong on disk ? and decrypted in memory ?

can you store text that is not readable, like ip adress, logs, texts ect or you have to encode everything
like MBS does serial number for example, seems like one can read inside an app to search strings.

i’m asking because i remember like 10 years ago, there was a way to open them, but was fixed.

the idea is to release open source code with some encrypted modules, thanks

The point is to thwart the casual user, and hope they respect your wishes. I haven’t tried it, but I expect that a determined individual would be able to decrypt your files with a some effort.


The IDE tells you quite a lot when you select an item to “encrypt”

Warning: This is a lightweight protection scheme designed to deter casual browsing, not a secure cryptography system.


It doesn’t matter how good the encryption is, the IDE needs to be able to decrypt it, so it can always be thwarted. It’ll deter most users. In fact, I can’t recall ever hearing of somebody breaking the encryption. But I know how it works, and I know it’s technically possible.


Years ago someone told me that the encryption was broken on the modules in my Mergable Cell Listbox classes and that it was made “available”, so apparently it does happen.


1 Like

Ditto. I was shown an app that took my encrypted products and unencrypted them for the world to see. Then found my products being distributed illegally on a downloads site. That’s when I stopped providing encrypted demos.


While I never had a lot of sales, I doubt my sales were affected significantly by the cracked version as those that used it likely would not have bought anyway. It was a pretty niche need.


1 Like

mmm thanks for feedback

so i’m thinking out loud, i’ve read somewhere that we can have aes256 field in sqlite

so is there a way to store methods in a sqlite aes 256 field ands load them ? one method per row ? is this xojoscript is for’ ? sorry never used it, i’m doing simple data manipulations.
or i’m delusional.
the plugin way could be a solution to ? i wanted to watch youtube video of XDC how to make plugin

Even if you could do this, aside from making your life harder and debugging a real pain, you’d have to supply the decryption password within the app itself, defeating the purpose.

Take reasonable steps to protect your code, then accept that some determined users will be able to break through it. The only thing you can do is make the effort high enough to discourage that pool.


yes but i was thinking to get this from url connection, if needed.

And then somebody could get your password from the url…


yes but is technically possible to store methods in some aes256 file or sqlite field and decode them at runtime to make valid xojo mehods or i’m daydreaming ? yes agreed, for limited tasks

The only thing you could store in a sqlite database is text, so technically you could use XojoScript, but I don’t think it would be practical for your entire app. You’d spend a lot of time creating bridge classes to get anything done.

For instance, the new user code-assistants functionality includes the ability to use the Clipboard and the Regex classes just like you do in Xojo code in the IDE. Under the hood, this is no easy feat. A class is created completely in XojoScript which duplicates the API of the Xojo class, but because the plugin to do Regex is exposed to compiled apps and the only data that can be passed between Xojo and a XojoScript are the basic types (strings, numbers, booleans) you have to create a thing for XojoScript called a “context” which defines all of the methods that the script is allowed to call. So this Regex class, when you call it’s “constructor,” calls into the context, which in turn, creates a new Regex instance and a unique identifier (UID). The Regex instance is stored in a dictionary using the UID as the key and the UID is returned to the XojoScript. Then each of the other methods that need to act on that object also need to have that UID passed to it.

It’s a long and tedious process. Possible, but not very practical.


Technically, yes. You would use XojoScript. Practically, it’d do nothing more than make your life more difficult. You’d have limited functionality, hard to maintain code, and it still won’t achieve your goal.

You’d have more luck using compiled XojoScript instead of encrypted XojoScript. Still not worth it.

1 Like

On the other end, hackers, with ransomware, are known to encrypt files that the user and even the whole community (malware researchers, antivirus makers, anyone) can’t figure any way to decrypt. Yet the hacker himself can decrypt the files because he owns a key.
So there are ways…

1 Like

Well sure, there are plenty of unbreakable encryption techniques. The trouble is executable code needs to be readable, so at some point it needs to be decrypted.

You could absolutely encrypt an executable binary. It just won’t be executable anymore.

1 Like

That is not comparable, since for Xojo modules, you as developer you encrypt and you know the Key. Which by it self would be all good and strong. But problem is Xojo it self needs to magically also know the Key since else Xojo cannot decode and compile your module. This is where the weakness is, making it not matter much how strong the encryption it self is given the key management is compromised from start. So the system basically has backdoor so Xojo can know the key.

Best way to do it properly would be to simply let Xojo let us deploy compiled modules. Instead of encrypted.

Then also you would not always need to bother with encrypting modules when you want to publish them and then decrypt them again so you can continue with your project. you would simply just compile the modules with some command and that would be that.


Well, under Windows it’s called a DLL …

I would not want DLL, absolutely not. More like .lib or .a or .o file That Xojo Linker could then link statically into the app.

1 Like