views:

11325

answers:

15

I want to make a JavaScript application that's not open source, and thus have two questions:

  1. What's the best way to obfuscate the code?
  2. What's the best way to obfuscate the strings themselves within the application (assuming that the answer to #1 does not handle this)?
+23  A: 

Obfuscation:

Try YUI Compressor. It's a very popular tool, built, enhanced and maintained by the Yahoo UI team.

Private String Data:

Keeping string values private is a different concern, and obfuscation won't really be of much benefit. Of course, by packaging up your source into a garbled, minified mess, you have a light version of security through obscurity. Most of the time, it's your user who is viewing the source, and the string values on the client are intended for their use, so that sort of private string value isn't often necessary.

If you really had a value that you never wanted a user to see, you would have a couple of options. First, you could do some kind of encryption, which is decrypted at page load. That would probably be one of the most secure options, but also a lot of work which may be unnecessary. You could probably base64 encode some string values, and that would be easier.. but someone who really wanted those string values could easily decode them. Encryption is the only way to truly prevent anyone from accessing your data, and most people find that to be more security than they need.

Sidenote: Obfuscation in Javascript has been known to cause some bugs.. The obfuscators are getting a little better about it, but many outfits decide that they see enough benefit from minifying and gzipping, and the added savings of obfuscation isn't always worth the trouble. If you're trying to protect your source, maybe you'll decide that it's worth your while, just to make your code harder to read. JSMin is a good alternative.

keparo
I want to add that doing a base64 encode will be of no benefit to security, since it is a trivially reversable procedure. Even encrypting it won't help if it's decrypted client-side. The only way to ensure security of a string is to have the client ONLY see the encrypted string, and it is passed to
Claudiu
the server for further processing.
Claudiu
FYI, online YUI compressor may be found here: http://refresh-sf.com/yui/
mtness
+8  A: 

The problem with interpreted languages, is that you send the source to get them working (unless you have a compiler to bytecode, but then again, it is quite trivial to decompile).

So, if you don't want to sacrifice performance, you can only act on variable and function names, eg. replacing them with a, b... aa, ab... or a101, a102, etc. And, of course, remove as much space/newlines as you can (that's what so called JS compressors do).
Obfuscating strings will have a performance hit, if you have to encrypt them and decrypt them in real time. Plus a JS debugger can show the final values...

PhiLho
+7  A: 

There are a number of JavaScript obfuscation tools that are freely available; however, I think it's important to note that it is difficult to obfuscate JavaScript to the point where it cannot be reverse-engineered.

To that end, there are several options that I've used to some degree overtime:

  • YUI Compressor. Yahoo!'s JavaScript compressor does a good job of condensing the code that will improve its load time. There is a small level of obfuscation that works relatively well. Essentially, Compressor will change function names, remove white space, and modify local variables. This is what I use most often. This is an open-source Java-based tool.

  • JSMin is a tool written by Douglas Crockford that seeks to minify your JavaScript source. In Crockford's own words, "JSMin does not obfuscate, but it does uglify." It's primary goal is to minify the size of your source for faster loading in browsers.

  • Free JavaScript Obfuscator. This is a web-based tool that attempts to obfuscate your code by actually encoding it. I think that the trade-offs of its form of encoding (or obfuscation) could come at the cost of filesize; however, that's a matter of personal preference.

Tom
Since the Javascript code must run on the client's machine it is not just difficult to obfuscate to the point where code can not be reversed-engineered but *impossible*.
Schwern
+3  A: 

I can recommend JavaScript Utility by Patrick J. O'Neil. It can obfuscate/compact and compress and it seems to be pretty good at these. That said, I never tried integrating it in a build script of any kind.

As for obfuscating vs. minifying - I am not a big fan of the former. It makes debugging impossible (Error at line 1... "wait, there is only one line") and they always take time to unpack. But if you need to... well.

Tsvetomir Tsonev
+6  A: 

You can obfuscate the javascript source all you want, but it will always be reverse-engineerable just by virtue of requiring all the source code to actually run on the client machine... the best option I can think of is having all your processing done with server-side javascript, and all the client code javascript does is send requests for processing to the server itself. Otherwise, anyone will always be able to keep track of all operations that the code is doing.

Someone mentioned base64 to keep strings safe. This is a terrible idea. Base64 is immediately recognizable by the types of people who would want to reverse engineer your code. The first thing they'll do is unencode it and see what it is.

Claudiu
@Claudiu Please explain what you mean by server-side javascript. I didn't understand.
Vivek Kodira
Wherever I go, the most common answer to "how can I obfuscate my Javascript?" is "you shouldn't worry about that because someone could un-obfuscate it." This is not really an answer.
Travis Wilson
@Vivek: A bit late, but what I really meant is "server-side code". It is possible to run javascript not in a browser, just on a server, but I don't know how common that is.
Claudiu
@Travis: I didn't say "you shouldn't worry about it." I just said that if you want a closed-source program, you're not going to want to write it in client-side javascript, because any obfuscation you do will not prevent it from being (pretty easily) reverse-engineered.
Claudiu
+1  A: 

A non-open-source Javascript-based application is fairly silly. Javascript is a client-side interpreted language.. Obfuscation isn't much protection..

JS obfuscation is usually done to reduce the size of the script, rather than "protect" it. If you are in a situation where you don't want your code to be public, Javascript isn't the right language..

There are plenty of tools around, but most have the word "compressor" (or "minifier") in its name for a reason..

dbr
+6  A: 

Obfuscation can never really work. For anyone who really wants to get at your code, it's just a speed bump. Worse, it keeps your users from fixing bugs (and shipping them back to you) and makes it harder for you to diagnose problems in the field. Its a waste of your time and money.

Write a license and get a lawyer to go after violators.

The only way you can really protect your code is to not ship it. Move the important code server-side and have your public Javascript code do Ajax calls to it.

See my full answer about obfuscators here.

Schwern
A: 

This one minifies but doesn't obfuscate. If you don't want to use command line Java you can paste your javascript into a webform.

Chris S
A: 

I'm under the impression that some enterprises (e.g.: JackBe) put encrypted JavaScript code inside *.gif files, rather than JS files, as an additional measure of obfuscation.

xgMz
A: 

As a JavaScript/HTML/CSS obfuscator/compressor you can also try Patu Digua.

Adrian
+5  A: 

I'm surprised no one has mentioned Google's Closure Compiler. It doesn't just minify/compress, it analyzes to find and remove unused code, and rewrites for maximum minification. It can also do type checking and will warn about syntax errors.

JQuery recently switched from YUI Compresser to Closure Compiler, and saw a "solid improvement"

Jason Hall
+1  A: 

Try JScrambler. I gave it a spin recently and was impressed by it. It provides a set of templates for obfuscation with predefined settings for those who dont care much about the details and just want to get it done quickly. You can also create custom obfuscation by choosing whatever transformations/techniques you want.

Anthony
A: 

You can try JSSOB, high obfuscation level, fast and not so heavy generated code.

Vincent G
A: 

Obfuscation is not protection nor compression. Compression is a way to obfuscation.

Vincent G
A: 

Contrary to most of the other answers I suggest against YUI Compressor; you should use Google Closure.

Not much because it compresses more, but mostly because it will catch javascript errors such as a = [1,2,3,]; which make IE go haywire.

Andreas Bonini