0

I made a hybrid mobile app in html, jQuery and css using phonegap. I want to obfuscate or encrypt my code so nobody can reverse engineer it. I am confused between yui compresser node-uglifier , minifier. They all just minify my js file that can easily be beautified online. Could someone an some one tell me a method of completing this task? Also please tell me if

https://javascriptobfuscator.com/ is this good for obfuscation? Thanks in advance.

techydesigner
  • 1,681
  • 2
  • 19
  • 28
Asad
  • 3,070
  • 7
  • 23
  • 61
  • Any obfuscation you do on client-side JavaScript isn't really going to help much - the code has to actually be interpreted on the client device, so anything you do to it is going to have to be reversible. What's your reasoning for wanting to obfuscate your code? – Joe Clay Jun 09 '16 at 10:13
  • my boss assign me task that protect app from reverse engineering . i google and came to know that its procedure of code obfuscation . Ive used jquery , html for app i.e its hybrid @JoeClay – Asad Jun 09 '16 at 10:17
  • sp reason is to obfuscate it so that nobody can understand it @JoeClay – Asad Jun 09 '16 at 10:18
  • Well, just by the nature of JavaScript being an interpreted language, it's impossible to obfuscate your code in a way that will 100% protect it. You can use tools like minifiers and the one you linked to make it a little more time consuming/difficult to understand, but there is no way to stop a sufficiently determined person from getting at the source. See: http://stackoverflow.com/a/194470/5436257 – Joe Clay Jun 09 '16 at 10:26
  • ok so yui is solution . thanks for your time @JoeClay have a great day , – Asad Jun 09 '16 at 10:30
  • well well what u say about `https://javascriptobfuscator.com/` ? @JoeClay – Asad Jun 09 '16 at 10:31
  • As with minifiers like YUI, this is just 'security through obscurity'. The same code is being executed (it would have to be, or the browser wouldn't understand it), it's just in a different form. As far as I can tell, all https://javascriptobfuscator.com does is convert all the values and identifiers into their ASCII hex values and then retrieves them in a strange way. If it only took me 10 minutes to figure out how to decode it, it's probably not a good obfuscator :P – Joe Clay Jun 09 '16 at 10:42
  • I posted a quick rundown of why obfuscators like that don't work well as an answer - hopefully it'll help you/your boss! – Joe Clay Jun 09 '16 at 11:01

1 Answers1

3

As discussed in the comments - obfuscation in an interpreted language is pretty much impossible. This is by virtue of the fact that the browser needs to be able to read your code as valid JavaScript to be able to run it - if the browser can do it, so can a sufficiently determined human! Any services that claim to be able to obfuscate JavaScript are simply offering 'security through obscurity' - i.e, making it more time-consuming to decode or less easy to understand.

For example, I took a look at the site you linked in your question. Here's my input code:

console.log("test");

And here's the output:

var _0xdef6=["\x74\x65\x73\x74","\x6C\x6F\x67"];console[_0xdef6[1]](_0xdef6[0])

This looks pretty secure at first glance, and it might be enough to scare off some less dedicated reverse-engineers. However, it's actually pretty simple to decode:

//               t   e   s   t       l   o   g
var values = ["\x74\x65\x73\x74", "\x6C\x6F\x67"];
console[values[1]](values[0]);

Suddenly, it's all pretty obvious - the tool has taken the values and identifiers from the input code, converted them to ASCII hex codes, and stored them as strings in an array.

Now, admittedly a real program would be much longer than this, and would probably be harder to decode, but my point remains the same - if I can figure out how their obfuscator works for a small program over my lunch break, it's hardly going to protect your code from any serious reverse-engineering attempt!

Joe Clay
  • 33,401
  • 4
  • 85
  • 85