Proprietary code distribution

[Defuera]

Hello, I'm developing an SDK that supposed to be sold to clients. It's pure dart code, dedicated for mobile flutter apps.
I'm looking for a way to distribute code in a way that it's hard to reverse engineer. As an android developer I would expect to be able to compile and obfuscate the code and then distribute it via central repository. But as so far I couldn't find a way to do it.

I already figured, that pub.dev is only dedicated for open source.

Can you advice on the matter described above?

[leafpetersen]

Transferring this to the sdk repo. In general, our standard build and ship options assume compiling a whole program from source. You could probably build a custom solution by using a combination of marked entry points with an ffi backed facade. I'm not sure what, if anything, we provide in terms of obfuscation. @mraleph @mkustermann or @a-siva might have more information here.

[mkustermann]

I'm not sure what, if anything, we provide in terms of obfuscation

The Dart VM's AOT compiler (gen_snapshot) does support obfuscation via --obfuscate. Additionally a lot of symbolic information can be stripped via --dwarf-stack-traces --save-debugging-info=<file> (**).

This approach would obfuscate an entire application. Also our AOT compiler produces simple machine code that is not so hard to reverse engineer. The harder part might be how to distribute such applications and make it communicate with other applications.

If your intention is to obfuscate a particular package/library (similar to compiling java libraries to obfuscated java class files / dex files) and make it available in the same application to users as a package/library: Right now we have no stable intermediate format that could be used for this. Also unlikely to be available soon.

(**) These flags are indirectly also accessible in flutter application builds, see flutter.dev/docs/deployment/obfuscate.

[vsmenon]

If the intent is to distribute a library, an alternative would be a Dart source minifier / obfuscator of some sort - similar to those in the JS ecosystem.

This isn't something we have plans to do ourselves anytime soon.

[srawlins]

I think this question is answered.

[Defuera]

Thank you, this helps. To recap:

There's no simple and efficient way to distribute closed source.

[mncmeditech]

The agora_rtc_engine seems to be doing it. Any insight on how the package https://pub.dev/packages/agora_rtc_engine is able to implement it - hide the source code, yet allow users to use it?

[mraleph]

@mncmeditech the source code is here: https://github.com/AgoraIO/Flutter-SDK/tree/master/lib you can read all the Dart code you want, it's not much though because SDK itself is implemented using Java or Kotlin and pulled down via gradle (https://github.com/AgoraIO/Flutter-SDK/blob/master/android/build.gradle#L55) or via a Pod depedency for iOS. In both cases you have a choice of distributing binary artifacts instead of source.

[MikePendo]

were there any progress or plans on that topic?

[Surajit-Roy]

How can we export our Flutter package to another project without exposing our code?

[fotiDim]

It would be great if this was reopened. The above mentioned Agora workaround only covers iOS and Android. There is no easy way to make a closed source library for all flutter-supported platforms.

[trapeye]

is there any alternative?