如何在电子js中对源代码进行混淆并保护源代码

我最近开发了一个带有 electron 框架的应用程序,在阅读了与电子 JavaScript 代码相关的安全问题后,我现在担心源代码保护.

我的意思是即使应用程序是为生产而构建的,也可以对代码进行逆向工程.我的应用程序包含许多关键信息,例如用于自动更新的 GitHub Private Token 等等.

我刚刚浏览了许多 SO 帖子,但没有找到完美的答案,因此请解决问题.使用电子无法混淆javascript代码或源代码保护?然而,混淆并不能完全保护代码,但它会使逆向工程变得复杂.如果有解决方法,请告诉我.我在电子的安全相关帖子中没有找到比 tl;dr 更多的内容.

我通过 obfuscator 找到了一种混淆方法,但似乎它需要手动混淆,而对源代码保护没有什么像在 NW.js 有没有更好的方法来实现呢?

我在 中型帖子上发现了一些有助于混淆的内容.但没有找到任何关于源代码保护的信息.

解决方案

tl;dr 你可以,但不值得努力.只需打包您的来源asar 文件,它让大多数人远离它.

长篷:

  • 在构建应用时使用 asar 选项.
  • 用丑陋的方法混淆代码.
  • 使用 WASM
  • 语言绑定,用于从已编译格式中获取数据
    • 用于 Rust 的 neonjs
    • 用于 C# 的 edge-js
    • N-API,用于 C/C++ 的 NAN

否则您的文件是脚本,所有这些步骤只会减慢攻击者(许多防御的策略),但他们不会阻止他们从访问它们.devTools 相当容易打开和人们将能够以某种方式、形状或形式阅读代码.和如果有人得到了你的混淆代码,那么重建什么很简单正在发生(请参阅此处以供参考:https://www.youtube.com/watch?v=y6Uzinz3DRU)p>

如果你想保护自己免受代码操纵,有更好的方法来做到这一点.像散列,上下文隔离等电子关于这个问题有一整章.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md

I recently developed an app with electron framework and am now worried about source code protection after reading security concerns related to electron javascript code.

I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token for AutoUpdate and much more.

I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.

I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js Is there any better way to achieve it?

I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.

解决方案

tl;dr You can and it is not worth the effort. Just pack your source into a asar file, it keeps most people away from it.

Long awnser:

  • Use the asar option when building your app.
  • Obfuscating the code with a uglyfier.
  • Use WASM
  • Language bindings to grab your data from a compiled format
    • neonjs for Rust
    • edge-js for C#
    • N-API, NAN for C/C++

Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)

If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md

相关文章