A customer I'm making a simple Arduino-based appliance for has requested that it should not be possible to extract the software from the device, as it will contain sensitive account information. I know almost nothing about the function of bootloaders or the functions of the native ICSP portion on the Atmega chips - I'm just a programmer - so forgive me for the noobie questions.
I am aiming to deploy on USB-less Atmega328p boards that only offer ICSP header. Does the Atmega328 ICSP natively allow reading the flash memory using avrdude or similar, or does it require the presence of a bootloader that offers this function? Is there some kind of dedicated locking mechanism for disallowing this? Will it affect my own software's ability to read from flash memory?
Thankful for any advice on how to "lock down" the device after flashing it.