Secure distribution of NodeJS applications

Question

What: Can NodeJS apps be distributed as binary? ie. you compile the .js app via V8 into its native binary, and distribute the binary to clients? (if you had total access to the NodeJS server)... or is minifying the code all you can do?

Why: We build serverside applications in NodeJS for clients, that have often to be hosted on the client's servers. Distributing source code means clients can easily steal our solution and stop paying licensing fees. This opens up the possibility of easy reverse-engineering or reuse of our apps without our awareness.

See [Node.js code protection](http://stackoverflow.com/questions/8040423/node-js-code-protection) and [Is there a way to compile node.js source files?](http://stackoverflow.com/questions/6145561/is-there-a-way-to-compile-node-js-source-files). It's not easily possible. — Rob W, Feb 23 '12 at 16:30
What you have is [not really a technical problem](http://programmers.stackexchange.com/q/66616/9097). — josh3736, Feb 23 '12 at 17:11
More discussion here: http://groups.google.com/group/nodejs/browse_thread/thread/98f21cab99878a13 — Pooria Azimi, Jun 16 '12 at 19:46

score 26 · Accepted Answer · answered Feb 23 '12 at 20:27

26

Yes you can create a binary format. V8 allows you to pre-compile JavaScript. Note that this might have a bunch of weird side-effects on assumptions made by node core.

Distributing source code means clients can easily steal our solution and stop paying licensing fees.

Just because you distribute the binary doesn't protect you againsts theft. They can still steal the binary code or disassemble it. This is protection through obscurity which is no protection at all.

It's better to give them a thin client app that talks to your server and keep your server code secure by not giving it away.

answered Feb 23 '12 at 20:27

Raynos

166,823
56
351
396

6

@James Andino: But, even if you could compile the code, what's preventing someone from taking the executable and data files and installing them on another machine? Compiling code isn't analogous to locking a car. Compiling is a performance and packaging measure, not a security measure. – user4815162342 Feb 28 '13 at 14:23
2

well my only defense to that logic is name calling. – Tegra Detra Feb 28 '13 at 14:33
8

These things are generally a losing race. However many resources you pump into "securing this" the other side will have more resources. You should simply not worry about this and ensure your business isn't dependent on the magic sauce in your code but on actual non-code value your company produces. – Raynos Feb 28 '13 at 18:07
+1 for the suggestion of thin client app. Putting critical business logic server-side is more "secure" than distributing executable with the same business logic. Disassembling binaries (and patching them for nefarious purposes) is very easy to do with current tools at today's date. – Spoike Jul 23 '13 at 09:20
1

The way Nodejs has been evolving, the best way would definitely be a thin client. I agree with @JamesAndino on the analogy though :P I mean, by obfuscating, the developer is just setting the bar **higher**, so there will be lesser people who can do the reverse engineering. Although, with nodejs, it would not be worth the effort to take so much headache. Try pitching a "thin client" approach to your client. – kumarharsh Jul 31 '14 at 14:30
12

Sometimes clients are so secure as prevent any internet access. I.e. there are use cases when your business logic must be on client's server. So the problem of securing node.js server code is quite actual. – Dzenly Oct 22 '15 at 05:05
6

Agree w @Dzenly. In addition, "protection through obscurity which is no protection at all" is false. as kumar_harsh points out, it merely raises the bar, BUT just because the bar is not insurmountable doesn't mean it doesn't provide value-- otherwise you could say the same of any security system. This is especially true for enterprise products. Also, clients that require high security are more likely to have strong controls that make it difficult, possibly a fireable offense, for employees to reverse engineer their vendors' products. – mwag Jun 30 '16 at 14:26

score 25 · Answer 2 · edited May 23 '17 at 12:25

Yes it is possible, use this branch(based on 0.8.18) and any js code you put in 'deps/v8/src/extra-snapshot.js' will be ahead-of-time compiled to machine code and embedded in v8 as part of the normal builtin object initialization. You will need to build nodejs for each platform you intend to deploy your product.

The snapshotted code runs very early in the v8 initialization and you cannot access builtin objects in the 'module body'. What you can do is put all your code inside a global initialization function to be called later. Ex:

// 'this' points to the same as the object referenced by 
// 'global' in normal nodejs code.
// at this point it has nothing defined in it, so in order to use
// global objects a reference to it is needed.
var global = this;
global.initialize = function() {
  // You have to define all global objects you use in your code here;
  var Array = global.Array;
  var RegExp = global.RegExp;
  var Date = global.Date;
  // See ECMAScript v5 standard global objects for more
  // Also define nodejs global objects:
  var console = global.console;
  var process = global.process;
  // Your code goes embedded here
};

Also, this assumes your entire code is defined in a single file, so if your project uses nodejs module system(require) you need to write a script that will combine all your files in one and wrap each file in a closure that will trick your code into thinking it is a normal nodejs module. Probably each module closure would expose a require function, and this function would have to decide when to delegate to the standard 'global.require' or return exports from your other embedded modules. See how javascript module systems are implemented for ideas(requirejs is a good example).

This will make your code harder to debug since you wont see stack traces for native code.

UPDATE:

Even using v8 snapshots the code gets embedded in the node.js binary because v8 prefers lazy compilation. See this for more information.

Thank you this is very useful I must try this. – Tegra Detra Feb 27 '13 at 06:20 — Tegra Detra, Feb 27 '13 at 06:20

score 5 · Answer 3 · answered Aug 21 '19 at 13:17

We have been using pkg to create binary versions of our Node.js app before distribution.

https://github.com/zeit/pkg

In order to add license key checking we use Cryptlex:

https://docs.cryptlex.com/node-locked-licenses/using-lexactivator/using-lexactivator-with-node.js

score 3 · Answer 4 · answered Sep 22 '13 at 13:54

3

I'm currently investigating the same thing and am looking at nexe which claims to be able to "create a single executable out of your node.js apps".

Can't tell you if it's any good just yet, but thought it'd be worth to share already.

answered Sep 22 '13 at 13:54

kvz

5,517
1
42
33

Nexe permit to create a stand-alone executable, but do not obfuscate the code at all. you can easily retrieve the javascript code at the end of the (huge) binary file. – Félix Brunet Feb 21 '19 at 16:56

score 2 · Answer 5 · answered Feb 16 '15 at 17:46

2

V8 generates native machine code internally and executes it. Look here: https://github.com/v8/v8-git-mirror/blob/master/src/compiler.cc#L1178 . This feature is used in EncloseJS. EncloseJS parses the sources of your node.js project, bundles dependencies, and makes an executable binary. The sources are not included in the binary - only compiled machine code.

answered Feb 16 '15 at 17:46

Igor Klopov

279
3
5

1

It is only the lazy compiled native code ! (2 times slower than the optimized one they say) – Alexis Paques Sep 09 '15 at 16:58

Secure distribution of NodeJS applications

5 Answers5

Linked