19

I am about to begin the process of creating a Windows-based utility app to manage localized expressjs server that will utilize a graphical Windows based application to manage some of the features of this service

However before I begin I would like to speak with the community to try to get some advice Advice on how to properly protect the code since it will all be Node.js bees I need to make sure it's protected and some of my initial reading online seems to show that using electron by not be the most Safeway saw that being said how are you guys handling this to keep Node.js these code protected with electron and in my case On Windows environment.

Dharman
  • 30,962
  • 25
  • 85
  • 135
jremi
  • 2,879
  • 3
  • 26
  • 33
  • should be dupe of https://stackoverflow.com/questions/39233588/how-can-i-obfuscate-the-client-side-source-code-of-my-es6-react-redux-elec. `2018` doesn't change lot of things. Once you ship code in client, it is readable regardless of what you do. – OJ Kwon Apr 26 '18 at 00:57
  • I did give you an awnser, for people who will be landing here via google. But generall this type of question is better placed on the electron forums and slack channel. The help files on stackoverflow gives you an idea why ;) https://stackoverflow.com/help/how-to-ask – Hans Koch Apr 26 '18 at 12:22

1 Answers1

30

tl;dr You can and it is not worth the effort. Just pack your source into an asar file, it keeps most people away from it.

Long answer:

  • Use the asar option when building your app.
  • Obfuscate the code with an uglifier.
  • Use WASM
  • Language bindings to grab your data from a compiled format
    • neonjs for Rust
    • edge-js for C#
    • N-API, NAN for C/C++

Otherwise, your files are scripts, all these steps only slow down an attacker (tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your obfuscated code, it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)

If you want to protect yourself from code manipulation, there are better ways to do it, like Hashing, Context Isolation etc. Electron has a whole chapter on the matter.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md

Small Update (2020):

I've seen this library a few weeks ago and thought it would show a nice way to further obfuscate the code from being read by external parties

https://github.com/OsamaAbbas/bytenode

The basic idea is to compile the JS into bytecode for V8. This works very well for Electron and is definitely a hurdle not everyone will get over. But, this will not protect your code from being turned back into readable JS. It's just another layer of protection to make it more difficult.

Pang
  • 9,564
  • 146
  • 81
  • 122
Hans Koch
  • 4,283
  • 22
  • 33
  • Hi Hans, thanks so much for this post. I appreciate the clarifications. I also really liked the YouTube video you sent. Very nice to see how he went down to the Chromium layer to look at the actual DOM events that interfaced with the js engine. – jremi Apr 26 '18 at 14:29
  • @hans Koch So I guess shipping source maps to production would be counter productive right? – Kev Aug 22 '18 at 13:32
  • 1
    @Amida only if you want to "protect" the scripts. But I personally would not include source maps to any production meant product either in the browser or in electron. – Hans Koch Aug 23 '18 at 19:24
  • > But, this will not protect your code from being turned back into readable JS Any way to prove this? Maybe this is 'possible' but there is currently no way to turn it back - creating such a decompiler would be a very difficult task which no-one has done yet. I think using bytecode is pretty good as far as securing your source. – lmiller1990 Jul 24 '23 at 08:55
  • @lmiller1990 i mean do you have any proof that no-one has done this? It's easy to parse bytecode back and forth, that's what happens for marshalling for example if you use NodeJS and C# too (edjejs) Please refrain from such a illogical statement just because it's above what you think is possible. – Hans Koch Aug 30 '23 at 23:34