1

I am currently considering to build a single page web app using restful api and put the entire UI logic in javascript on the client side. This design concept has been adopted by twitter and several other web apps.

However, I am wondering how to prevent user from stealing my javascript code, since my app logic is all stored in javascript. Does product like gmail, grooveshark, or twitter not care about this issue? do they not care if people can just replicate their app by copy the javascript? if so, does it not bring a lot of risk to the business?

I hope someone can answer my question as I am figuring out how other people are building their app. and if anyone has similar concern on this issue.

yoyocicada
  • 13
  • 4
  • Copyright your code. People who then steal your code, you can held them responsible for criminal actions. – Tower Dec 21 '11 at 23:43
  • 1
    possible duplicate of [How can I obfuscate JavaScript?](http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript) – Mike Samuel Jan 01 '12 at 21:29

5 Answers5

11

On a pure technical level you can't. Any Javascript code readable by a browser can be read by a developer UserAgent. In fact there are browser addons which allow the user to read the Javascript behind or linked by any web page.

Having said that, you can make hijacking of your Javascript code harder by using Minification. (eg: http://code.google.com/p/minify/)

Sean B. Durkin
  • 12,659
  • 1
  • 36
  • 65
7

As previously stated, there are no way to prevent "code stealing". Just remember we are in a world where code isn't valued anymore. It's so easy to build an application that what really matters is the branding around it.

Anyone can build a facebook of it's own, but the real value is the number of users on facebook. I don't believe that company tries to protect their code anymore, they in fact make it easy for you to get it via github or the likes. Talking about their products and the way there are made are more beneficial to them than you think.

Just take a look at twitter bootstrap. The investment they put in that code is well rewarded by all the people building apps on their technology. It reinforce the technical value of their systems.

Dominic Goulet
  • 7,983
  • 7
  • 28
  • 56
  • 2
    +1 Excellent points. I agree that, in many scenarios, perceiving your source code as being your "crown jewels" is a viewpoint that is very much From The Past. – Cheekysoft Dec 21 '11 at 16:37
  • 2
    It still depend on what you are working. Developing a whole new game engine might have value, but developing a web application rarely has value. Most often, what is really valuable is the data that you have gathered. In order of importance, I would say that people that works for you matters the most, then the branding, then your data and finally the code itself. I may have missed other factors tho ;-) – Dominic Goulet Dec 21 '11 at 16:44
  • I agree with your philosophy. Users base is definitely the real asset.Thanks Dominic for your answer! – yoyocicada Dec 23 '11 at 13:50
2

You can minify/obfuscate your javascript code, making it essentially unreadably.

For example: http://code.google.com/p/minify/

or check this question: How can I obfuscate (protect) JavaScript?

Community
  • 1
  • 1
Philippe Leybaert
  • 168,566
  • 31
  • 210
  • 223
  • 1
    Then when your done reading that article, put on your hacker hat and head over to this one: http://stackoverflow.com/questions/2867027/deobfuscating-javascript or just go right to http://jsbeautifier.org/ – felickz Jan 03 '12 at 19:32
2

If your business requirements state that your source must remain a closely guarded secret and you are attempting to make a single webpage that contains all your business logic you have a conflicting design.

No matter how much obfuscation or minification you perform on your client-side code, there is going to be a way (simple browser plugins to firebug can do this) to deobfuscate your code.

There is no such thing as "security through obscurity".

felickz
  • 4,292
  • 3
  • 33
  • 37
2

Take a look at:

  1. http://a0.twimg.com/b/1/bundle/phoenix-core-en-201112200936.js
  2. http://a2.twimg.com/b/1/bundle/phoenix-more-en-201112200936.js

And consider how hard it is to extract useful information from the code.

This is some of the javascript code that your browser downloads when you visit a page on Twitter. This code has been minified (to make it more efficient to move around the network) and obfuscated (to make it harder to read). These techniques make it much harder for the casual user to re-use or reverse-engineer your code. Tools for doing this a widespread and include: Google's Closure Compiler, Yahoo's YUI Compressor, and others.

No such tool is perfect, however. They won't stop a determined hacker -- of course, a determined hacker could probably just reproduce the functionality, which leads to your best defense, IMHO -- which is your copyright.

When you create software, that software is protected by copyright law, in much the same way as other works are (see Software Copyright). If you create a hot new javascript app, and someone rips the code and puts it in their app, you have grounds for legal action. However, the law doesn't just prevent them from using it exactly "as is". From Wikipedia:

There is a certain amount of work that goes into making copyright successful and just as with other works, copyright for computer programs prohibits not only literal copying, but also copying of "nonliteral elements", such as program structure and design.

This can be very valuable protection.

toddsundsted
  • 6,225
  • 2
  • 21
  • 13