Is using an obfuscator enough to secure my JavaScript code?

Question

I'm working on building a development tool that is written in JavaScript.

This will not be an open source project and will be sold (hopefully) as a commercial product.

I'm looking for the best way to protect my investment. Is using an obfuscator (code mangler) enough to reasonably secure the code?

Are there other alternatives that I am not aware of?

(I'm not sure if obfuscator is the right word, it's one of the apps that takes your code and makes it very unreadable.)

Answer 1

I'm going to tell you a secret. Once you understand it, you'll feel a lot better about the fact that Javascript obfuscation is only really useful for saving bandwidth when sending scripts over the wire.

Your source-code is not worth stealing.

I know this comes as a shock to the ego, but I can say this confidently without ever having seen a line of code you've written because outside the very few realms of development where serious magic happens, it's true of all source-code.

Say, tomorrow, someone dumped a pile of DVDs on your doorstep containing the source code for Windows Vista. What would you be able to do with it? Sure, you could compile it and give away copies, but that's just one step more effort than copying the retail version. You could painstakingly find and remove the license-checking code, but that's something some bright kid has already done to the binaries. Replace the logo and graphics, pretend you wrote it yourself and market it as "Vicrosoft Mista"? You'll get caught.

You could spend an enormous amount of time reading the code, trying to understand it and truly "stealing the intellectual property" that Microsoft invested in developing the product. But you'd be disappointed. You'd find the code was a long series of mundane decisions, made one after the other. Some would be smarter than you could think of. Some would leave you shaking your head wondering what kind of monkeys they're hiring over there. Most would just make you shrug and say "yeah, that's how you do that."

In the process you'll learn a lot about writing operating systems, but that's not going to hurt Microsoft.

Replace "Vista" with "Leopard" and the above paragraphs don't change one bit. It's not Microsoft, it's software. Half the people on this site could probably develop a Stack Overflow clone, with or without looking at the source of this site. They just haven't. The source-code of Firefox and WebKit are out there for anyone to read. Now go write your own browser from scratch. See you in a few years.

Software development is an investment of time. It's utter hubris to imagine that what you're doing is so special that nobody could clone it without looking at your source, or even that it would make their job that much easier without an actionable (and easily detectable) amount of cut and paste.

Answer 2

I deeply disagree with most answers above.

It's true that every software can be stolen despite of obfuscation but, at least, it makes harder to extract and reuse individual parts of the software and that is the point.

Maybe it's cheaper and less risky to use an obfuscation than leaving the code open and fighting at court after somebody stole the best parts of our software and made dangerous concurrency.

Unobfuscated code whispers:

• Come on, analyze me, reuse me. Maybe you could make a better software using me.

Obfuscated code says:

• Go away dude. It's cheaper to use your own ideas than trying to crack me.

Answer 3

You are going to be fighting a losing battle if you try to obfuscate your code in the hopes of someone not stealing it. You may stop the casual browser from getting at it, but someone dedicated would almost certainly be able to overcome any measure you use.

In the past I have seen people do several things:

1. Paste a lot of whitespace at the top of the page with a message telling people that the code is unavailable, when in actuality you just need to scroll down a few pages to get at it.
2. Running it through an encoder of some kind, this is so so useful as it can just be run through the decoder.
3. Another method is to reduce variable names to one character and remove whitespace (this is also an efficiency thing).

There are many other methods.

In the end, your efforts are only likely to stop the casual browser from seeing your stuff. If someone dedicated comes along then there is not much you will be able to do. You will have to live with this.

My advice would be to make a really awesome product that attracts the most people and beat off any competition by having the best product/service/community and not the most obfuscated code.