From time to time we get asked if it’s possible to decode ionCube encoded files back to source; maybe a developer’s source code was lost or a user wants to change some 3rd party code. Whatever the reason and despite the many false claims about decoding ionCube files, best practice when encoding files should mean that the answer is “no”, and so in this article we will discuss what is best practice and what will offer the best protection for your scripts.
Use the latest version and security features!
Security is an ever changing landscape, and using outdated protection is one of the biggest failings to make. Having the latest ionCube Encoder release will ensure your protection methods are up to date, give you the latest security options, and support the most recent PHP language features. You should think of this like updating your anti-virus software, where outdated security will not protect against new attacks. ionCube has always offered the best in class protection for code, and particularly if getting ready to release a new product or major update of your own software, make sure your code protection is up to date too!
Use obfuscation options (where possible)
The ionCube Encoder will allow you to obfuscate different identifiers such as classes, functions and line numbers. This is an additional layer of security to the general mangling that occurs with standard encoding. Note that sometimes full obfuscation is not possible and certain options will need to be disabled or specific identifiers need to be excluded (see how) for your code to work properly. Using more than one protection mechanism is good security practice, and even if your code does not lend itself to using obfuscation fully, you can still maximise protection by implementing other mechanisms such as Dynamic Keys (see here).
Use Dynamic Keys
An extremely powerful feature introduced in Version 9 is Dynamic Keys. Rather than hiding decoding keys within encoded files, Dynamic Keys are encryption keys that are generated only when a script is run and by the script itself. The absence of static keys and the ability to layer as many keys as you like makes reverse engineering a significant challenge over the traditional static key approach. Version 9 also introduced External Keys as another means of security you can consider for your scripts, though we recommend dynamic keys as the best option. We have an entire article focused on the Keys features which describes how they work (see here).
For help with Keys and other features see our user guide: