I recently developed an app with electron
framework and am now worried about source code protection after reading security concerns related to electron javascript code.
I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token
for AutoUpdate and much more.
I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr
in the security-related post of the electron.
I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js
Is there any better way to achieve it?
I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.
Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.
I build my first electron app but now I wonder how to protect the source code to be view by other developers. To protect your app's resources and source code from the users, you can choose to package your app into an asar archive with little changes to your source code.
Code obfuscation is not security (or at least, is a very poor approach to thinking about security). We care a great deal about security. Code obfuscation is about satisfying ill-informed corporate policy. Which is a legitimate use-case! But so are a lot of other features that we want to do, features that move Electron as a platform forward.
Since the main objective of obfuscation is to hide JavaScript and parts of the code that could be targeted by attackers or competitors, it’s easy to understand that you would want to obfuscate any data in the code.
tl;dr You can and it is not worth the effort. Just pack your source into a
asar
file, it keeps most people away from it.Long awnser:
- Use the
asar
option when building your app.- Obfuscating the code with a uglyfier.
- Use WASM
- Language bindings to grab your data from a compiled format
- neonjs for Rust
- edge-js for C#
- N-API, NAN for C/C++
Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)
If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
There is a library called bytenode which allows you to convert your Javascript files into binary files so that noone can read it.
https://www.npmjs.com/package/bytenode
First install bytenode on your server and in your folder:
>npm i -g bytenode
>npm i bytenode
Create a normal nodeJS file with the following code in it. Let's imagine we name the following code: ok.js
console.log('bytenode works');
Then, compile your javascript code. The command will create a .JSC file with the same name than your file.
user@machine:~$ bytenode -c ok.js
Then, in a main JS file, you will call your binary, let's call it test.js:
const bytenode = require('bytenode');
const myFile=require('./ok.jsc');
myFile;
Save it.
Then, you will call test.js: node test.js to test it. Do a "cat ok.jsc" to see that it is really a binary and that nobody can't see your code. You can move your original plain test js file to another location.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With