2

If all of my behavior is managed by JavaScript run on the client-side, I'm not seeing a way to blackbox code that I may not want the world to see (e.g. internal details about a hardware device plugged in). Is there a way to save some items from being exposed in right-click -> inspect element?

Normally, proprietary parts of a webapp are handled server-side (where there may also be greater computing power). Is everything I write on the chromeapp open for the world to manipulate?

tarabyte
  • 17,837
  • 15
  • 76
  • 117
  • 2
    Sounds like a good question to me... no idea why it was voted down, so I am voting it back up. – Marc Rochkind Sep 17 '14 at 18:57
  • See http://stackoverflow.com/questions/194397/how-can-i-obfuscateprotect-javascript and http://stackoverflow.com/questions/23663311/are-chrome-apps-code-visible-to-the-users and http://stackoverflow.com/questions/16381282/is-javascript-source-encryption-useful-for-obfuscation and http://stackoverflow.com/questions/13063689/chrome-extension-will-my-source-code-be-available-to-users/13066190 and many more. It's very rarely relevant whether people can see your client-side code. Writing the software is the easiest part of building a successful business or product. – sowbug Sep 18 '14 at 03:05

2 Answers2

1

There is no way to prevent someone from fiddling with any application deployed to a client, and especially not JavaScript applications. This applies to Chrome apps as well.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • So usb communication, for instance, is just visible by viewing a comms.js file for instance? There's no way to put this as a background script or stored somewhere else in the app? – tarabyte Sep 17 '14 at 16:34
  • @tarabyte That's correct. No way to hide it. Even if you could from the application perspective, your USB traffic is easy to capture anyway. http://sourceforge.net/projects/usbsnoop/ – Brad Sep 17 '14 at 16:36
  • I acknowledge that most times there's not a great way to hide things, only to make them more than trivial to get at. If there's any way to at least increase the difficulty to get at these, please let me know. – tarabyte Sep 17 '14 at 16:40
  • 1
    @tarabyte There isn't. If you look at all the previous questions on Stack Overflow for obfuscating JavaScript, you will find more in-depth reasoning. The short answer is that the JavaScript engine requires access to the JavaScript code itself to function, and not some intermediary binary format. This is to faciliate `toString()` on functions and what not. Your best course of action is to have explicit licensing terms that impose penalties for reverse engineering your application, so that you have some legal options should someone steal whatever it is that you're trying to hide. – Brad Sep 17 '14 at 16:50
1

For code: the best you can do is uglify and mangle it. This makes it harder to decompile and copy/paste. https://github.com/mishoo/UglifyJS

For data: (e.g. passwords, private keys), you have several possible attackers:

  1. User willingly attacking your app via OS tools and debugger
  2. Malware process attacking your app

1) If a user with root access is attacking your app, given enough time and know-how, they will win. The best defense is to limit the "surface area" they can attack. Encrypt your private data in memory, and deallocate/garbage collect it when your are done with the un-encrypted version. Javascript will not be awesome in helping you with this.

2) If a rogue process is attacking your app, then your is as safe as your operating system. If the malware is root it's the same as 1). Again, best option is to limit the surface area.

That said, browser extensions like password managers store secure data all the time, so it's not unheard of.

These links may be interesting to you:

Community
  • 1
  • 1
Michael Cole
  • 15,473
  • 7
  • 79
  • 96