How to perform obfuscation of source code and protect source in electron js

Question

I recently developed an app with electron framework and am now worried about source code protection after reading security concerns related to electron javascript code.

I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token for AutoUpdate and much more.

I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.

I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js Is there any better way to achieve it?

I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.

Answer 1

tl;dr You can and it is not worth the effort. Just pack your source into a asar file, it keeps most people away from it.

Long awnser:

• Use the asar option when building your app.
• Obfuscating the code with a uglyfier.
• Use WASM
• Language bindings to grab your data from a compiled format
  • neonjs for Rust
  • edge-js for C#
  • N-API, NAN for C/C++

Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)

If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md

Answer 2

There is a library called bytenode which allows you to convert your Javascript files into binary files so that noone can read it.

https://www.npmjs.com/package/bytenode

First install bytenode on your server and in your folder:

>npm i -g bytenode
>npm i bytenode

Create a normal nodeJS file with the following code in it. Let's imagine we name the following code: ok.js

console.log('bytenode works');

Then, compile your javascript code. The command will create a .JSC file with the same name than your file.

user@machine:~$ bytenode -c ok.js

Then, in a main JS file, you will call your binary, let's call it test.js:

const bytenode = require('bytenode'); 
const myFile=require('./ok.jsc'); 
myFile;

Save it.

Then, you will call test.js: node test.js to test it. Do a "cat ok.jsc" to see that it is really a binary and that nobody can't see your code. You can move your original plain test js file to another location.

Answer 3

You can use bytenode as mentioned is Nicolas Guérinet's answer.

However, the binary generated by bytenode CLI will give you runtime error when you try to use it in your electron project. The error will say something like:

"Invalid or incompatible cached data (cachedDataRejected)"

For the binary to work with electon, it must be generated by electron itself.

Here's how to get it working:

Let's say you want to protect main.js in a typical electron project.

Install bytenode

npm i bytenode

Rename main.js to something else, say temp.js.

Create a new main.js with the following code:

const { app, BrowserWindow } = require('electron')

function createWindow() {
    // Create the browser window.
    mainWindow = new BrowserWindow({
        width: 400,
        height: 200
    })

    //use bytenode to convert js files to jsc
    const bytenode = require("bytenode");
    let compiledFilename = bytenode.compileFile({
        filename: './temp.js',
        output: './main.jsc'
    });
    //convert other Node.js files as required
}

app.whenReady().then(() => {
    createWindow()
})

Now run your electron project. When the blank window appears, look into you project directory, you will find the main.jsc file.

Change your main.js to the following three line code:

const bytenode = require('bytenode'); 
const myFile = require('./main.jsc'); 
myFile;

Remove your nodejs source file (temp.js) from your project and build your project.

You can also minify and obfuscate your code before converting it to jsc.

Credits to https://github.com/mapleby for his posts at https://github.com/bytenode/bytenode/issues/63. I have adapted his idea to get it working.

This will make is significantly more difficult for someone to reverse engineer your code but it will still be possible.

Answer 4

If you're referring to code that you for some reason must have on the client-side, then obfuscation can definitely help. There's no such thing as obfuscation that's impossible to defeat; however, it can raise the cost of de-obfuscation to a point where it's just not worth it for attackers.

The OWASP Mobile Top 10 2016-M9-Reverse Engineering mentions this: "In order to prevent effective reverse engineering, you must use an obfuscation tool". Then you also may benefit from runtime self-protection, which you can also find on the OWASP list: "The mobile app must be able to detect at runtime that code has been added or changed from what it knows about its integrity at compile time. The app must be able to react appropriately at runtime to a code integrity violation".

When comparing different obfuscators, it's critical to check if they provide support and documentation and ensure that the company behind them won't add malware and hide it in the obfuscated code. Here's where free obfuscators often come short.

Check Jscrambler for an enterprise solution. They support Electron and the full list of their obfuscation transformations is available here.