Best way to hide JavaScript code?

[user123]

I've searched it up, there are alot of so called solutions, but they are all easy to bypass.

For example,  you can disabled click, so you can't right-click view-source.

But the workaround is simple: just go to your browsers' web console, for example in Firefox you can easily see the URL of the script.

What are your experiences/tips/methods?

Let's make a list:

- code obfuscation (i.e. http://javascriptobfuscator.com/ )

 

[Will]

There isn't really a perfect method. Yes, you could indeed obfuscate it, but that wouldn't deter someone determined enough. 

[Mike]

This is a new and trending service... https://jscrambler.com/

 

I have no personal experience but as far as i know it server the purpose very well.

[plicatibu]

Mike, the service seems very good, but it's expensive.

 

Do you know a tool that do the same ?

[titmael]

You can't disable access to the script, even if you disable right click you can still access code by :

• dev tools (debugger console)
• sniffing network files and open the file directly in your browser

The best you can do is to merge, minify and obfuscate your code. I use http://yui.github.io/yuicompressor/

 

But looks like there are tools to do reverse engineering on it : http://relentless-coding.org/projects/jsdetox

 

For me, you don't have a perfect way to do it.

[lo.th]

hello i have solution for you
http://lo-th.github.io/pi/SCRIPTtoPNG.html
for decode https://github.com/lo-th/pi/blob/gh-pages/js/PNGtoSCRIPT.js

you can creat you own compacter/decoder
the best in that code size divide by 3.

[plicatibu]

titmael, I know that it is not possible to stop a theft from get our code. I just want to let this as hard as possible, so that many will give up and look for an easier script to rip off.

 

lo.th: it's an extra step to protect the script. Thank you for sharing.

[astoria0128]

what if i want to sell JS code? And i have several demo code on my site? (i dont want...just an example..)

[ultimatematchthree]

Another option is Google Closure Compiler which is available online as well as for downloading.

[tmifx]

I tried to encode all the code and hide the algorithm uncompressing.

But it takes a lot of time if a lot of code.

[CarlRck]

From my experience JScrambler is the strongest option you have. YUI and Google Closure Compiler do not really aim to protect your code. These tools only do function inlining, dead code removal, name replacing, comment removal, etc. All of these are code transformations to reduce code size, to optimize it, but not to make it harder to understand. In practice, it makes it a little bit harder to understand, but it is more like a side effect rather than the primary goal and so they can be easily reversed in minutes. 

 

In my case I wanted to make sure it was really hard for others to get my code and I can tell you JScrambler has several obfuscation features and goes beyond it by installing code traps scattered throughout the code that will provide you extra layers of protection. On top of that it makes attempts to tamper your code break its functionality and triggers more defenses when someone uses JavaScript debuggers. I also used something they have called domain lock (this makes the code only run in specific domain otherwise it breaks), which is useful when someone is trying to just copy your code and run it in his webserver/website. 

 

It's my advice if you wanna really secure your code, hope it helps

[SolarJS]

Jscrambler brutally hits your performance aswell as it does destroying your prechaching of functions and increases GC a lot. I could not recommend it if you are aiming a high performance gameplay. Google closure compiler also partially destroys precaching in Advanced mode, but it works much better and is free also.

[PolaritonMan]

I used YUI Compressor for my Apps: http://yui.github.io/yuicompressor/

 

It may not be the strongest but it is fast, has no performance impact and was easy to integrate into my build script. I recommend it.

[SolarJS]

YUI Compressor is no ofuscator. It can be broken within 5 minutes.

 

I tested a lot of tools recently and I could only recommend a mixture of different tools if one wants excatly the performance the original has.

[anupam]

@SolarJS: regarding JScrambler hurting performance, do you know their "Ignore Code Blocks feature" ?

https://jscrambler.com/en/help/javascript_obfuscation/ignore_code_blocks

 

With it you can instrument your code and tell JScrambler to ignore some transformations in specific blocks of your code. You'll want to do this in the blocks where the performance impact is higher, choosing a lighter set of JScrambler transformations.

Also interesting, you can do the opposite as well. You can tell JScrambler to only use some obfuscations in some blocks. This allows you to push the envelope in more security sensitive parts, where you want to get deeper obfuscation.

 

AFAIK, JScrambler is the only tool that offers this kind of flexibility.

And I think this is really important, because its the only way to tackle the performance hit from obfuscation.

In my case I managed to get performance hit to healthy levels.

[SolarJS]

@anupam

 

Thanks for your feedback.

 

I know this feature. I did a lot of research on the whole obfuscation topic in the recent weeks. And it all ends up in this:

1. JS code is breakable very fast, also JScrambler. I even found a tool which does this automatically. In a bad case you just have to invest up to one more hour to do the last fixing.

2. All advanced tools hit performance. Even Google Closure compiler does hit it. Worst I got was a 50% cut on iOS systems in Advanced Mode. That's unusable and is like this tool is laughing at you for all the hours you've invested to optimize your code.

 

I end up in a mixture of tools to get an obfuscation solutions which does not harm performance at all. It's also way cheaper than JScrambler (I have to admit I am no fan ob subscription payments). There are even ways to do it free, but these are not practical and very time consuming. At least for me when you have lot's of builds and have to test on lot's of mobile devices. 

[anupam]

Interesting. There's a lot to learn in this area.

 

@SolarJS: can you share the name of the tool that breaks the obfuscation automatically ? I'd like to test it against my JScrambler protected code (standard obfuscation template & self-defending).

Regarding the mix of obfuscation solutions you say you are using. Can you share those as well ? I'm interested in learning about alternatives.

 

Regarding building & testing, I'm currently using JScrambler API client with Grunt, which automates everything. I run unit tests after obfuscation to make sure nothing is broken.

[SolarJS]

I won't post any breaker tools, since I don't want to promote them. 

 

I use the Google Compiler in Simple Mode to combine and minify the code. After that I use Jasob for obfuscation. At last GZip is activated on the servers (for further compression), but that's also pretty much standard today.

[anupam]

I've tested Jasob in the past. I really don't think it's a very powerful obfuscator. Yes it renames symbols, obfuscates strings, but that's pretty much it. Right?

 

JScrambler has control flow obfuscation, domain locks, time locks, you can lock the code to iOS, Android, etc. And in case you can use it, you have Self-defending which I think is much harder to break it (although surely not impossible). The downside is the price, of course.

[SolarJS]

As you already say it renames symbols, strings etc. This is called obfuscation. What you mean is obscurity. Obscurity is heavily used by JScrambler, which does hurt performance.

 

I implemented time locks, domain locks etc. by myself. These are no brainers which can be done in just below 10 lines each. Nobody has to pay for these features.

 

Self defending is an illusion. It assumes that the code is executed like in a normal browser. See the whole as a text file which has not to be executed, but can be analysed easily and you can break it fast. I found it not to be worth the money and time.

 

Also, the payment model JScrambler uses is obscure too. First you have the normal prices. Then after 3 days you get an email with a discount offer for about 40%, of course limited for a few days to increase pressure. If you don't by you get a few weeks later emails with a 20% discount. By the way this discount you can get also if you write to them directly. I found this to be fishy. Adding a performance hit this becomes more senseless to me.

 

Jasob has a one time fee of $149 and that's it. This works best for me. However, everybody might choose what he feels comfortable with. I am performance freak and I don't want any "optimizer" to harm what I have invested a lot of time in.

[anupam]

Look at this small example:

Original - http://jsfiddle.net/JScrambler/GaeLD/

Self-defending - http://jsfiddle.net/JScrambler/5ujp3/

 

IMHO, I don't think is trivial to break it. Surely not as trivial as breaking basic symbol renaming and string obfuscation.

I'm using it partially in my code, using the Ignore Code Blocks feature I mentioned before.

[SolarJS]

Unfortunately it is, do a research via google and you will be shocked what these tools can do to reverse JScrambler.

 

Also note, it is obscurity that JScrambler uses and it uses patterns, that's no magic. It just looks hard to read, but it is not if the patterns have been reversed by tools. That step is done faster than reversing the obfuscation to really understand what is going on, since it can be automated via tools you can find.

 

Also, never underestimate the potential of manpower in some countries where they have low salary rates.

 

In conclusion JScrambler is useless and these are six reasons not to use JScrambler:

1. Basically it is useless since your code is supplied as source to the user.
    
2. Hurts performance, on Safari up to 66%! ( see http://jsperf.com/jscrambler/5 , http://jsperf.com/jscrambler/10 )
   
3. Blows up file size (which is especially bad for mobile)
    
4. May introduce new errors / incompatibilities with new hardware
    
5. Eats up the cost you've invested to make your game fast. 66% performance hit on iOS / Mac OS X for games is ridiculous. Even a 10% hit drops your 60fps game to 54fps
    
6. It is expensive itself and uses an obscure pricing policy too ( see http://www.html5gamedevs.com/topic/5807-best-way-to-hide-javascript-code/?p=65882 )
7. EDIT: Startup-Times are much slower and glitches appear due to browser decoding / slower optimizing of the source.

Each of them would be a reason to not use JScrambler, in my opinion.

[anupam]

Although it makes some sense what you are saying, I feel that you ended up choosing something that is far easier to reverse.

 

Automated tools to reverse obfuscation work best if all you are doing is renaming identifiers and hiding strings, and tend to have greater difficulties in tackling more sophisticated protection schemes (self-defending, assorted locks, control flow obfuscation, etc).

 

I understand that you are writing your own locks and then obfuscate the result. But other people may not be interested in writing their own locks, as that is very non-trivial and can be tricky to do.

[SolarJS]

I am sorry, but may be I missed something. A URL lock is a simple regular expression which can be done in even 1-2 lines. Time lock is also simply, just evaluating Date.now() or others to see if the matches. What is tricky about that? Just use KISS

 

As I said above, the disadvantages of a solution like JScrambler are far bigger than the advantages.

[anupam]

This isn't an exact science, but I think it's an overstatement to say that is easy to write better locks. An overly optimistic to say that it only requires 1-2 lines.

 

Writing a lock that can appear in multiple shapes and forms, that is spread out multiple times around the code, using automatic reversal resistant constructs like opaque predicates and that is combined with other transformations to make it more complicated to reverse manually. And you have to make sure it combines well with other transformations. And you have to make sure you are not breaking the code. And you don't want to re-write the locks each time you have a new code to protect.

 

Most people already feel they don't have enough time to code their games/apps. I don't think they are really interested in becoming experts in code protection as well. Not when there are good tools for that. 

 

Happy new year everyone :-)