Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to perform obfuscation of source code and protect source in electron js

I recently developed an app with electron framework and am now worried about source code protection after reading security concerns related to electron javascript code.

I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token for AutoUpdate and much more.

I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.

I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js Is there any better way to achieve it?

I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.

like image 336
Kiran Maniya Avatar asked Sep 25 '19 17:09

Kiran Maniya


People also ask

Is it possible to obfuscate JavaScript code with electron?

Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.

How to protect the source code of an electron app?

I build my first electron app but now I wonder how to protect the source code to be view by other developers. To protect your app's resources and source code from the users, you can choose to package your app into an asar archive with little changes to your source code.

How secure is electron's code obfuscation?

Code obfuscation is not security (or at least, is a very poor approach to thinking about security). We care a great deal about security. Code obfuscation is about satisfying ill-informed corporate policy. Which is a legitimate use-case! But so are a lot of other features that we want to do, features that move Electron as a platform forward.

What is JavaScript obfuscation and how does it work?

Since the main objective of obfuscation is to hide JavaScript and parts of the code that could be targeted by attackers or competitors, it’s easy to understand that you would want to obfuscate any data in the code.


2 Answers

tl;dr You can and it is not worth the effort. Just pack your source into a asar file, it keeps most people away from it.

Long awnser:

  • Use the asar option when building your app.
  • Obfuscating the code with a uglyfier.
  • Use WASM
  • Language bindings to grab your data from a compiled format
    • neonjs for Rust
    • edge-js for C#
    • N-API, NAN for C/C++

Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)

If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md

like image 76
Vishal Vaghasiya Avatar answered Nov 15 '22 17:11

Vishal Vaghasiya


There is a library called bytenode which allows you to convert your Javascript files into binary files so that noone can read it.

https://www.npmjs.com/package/bytenode

First install bytenode on your server and in your folder:

>npm i -g bytenode
>npm i bytenode

Create a normal nodeJS file with the following code in it. Let's imagine we name the following code: ok.js

console.log('bytenode works');

Then, compile your javascript code. The command will create a .JSC file with the same name than your file.

user@machine:~$ bytenode -c ok.js

Then, in a main JS file, you will call your binary, let's call it test.js:

const bytenode = require('bytenode'); 
const myFile=require('./ok.jsc'); 
myFile;

Save it.

Then, you will call test.js: node test.js to test it. Do a "cat ok.jsc" to see that it is really a binary and that nobody can't see your code. You can move your original plain test js file to another location.

like image 25
Nicolas Guérinet Avatar answered Nov 15 '22 18:11

Nicolas Guérinet