Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
561 views
in Technique[技术] by (71.8m points)

node.js - ElectronJS code protection 2018

I am about to begin the process of creating a Windows-based utility app to manage localized expressjs server that will utilize a graphical Windows based application to manage some of the features of this service

however before I begin I would like to speak with the community to try to get some advice Advice on how to properly protect the code since it will all be node JS bees I need to make sure it’s protected and some of my initial reading online seems to show that using electron by not be the most Safeway saw that being said how are you guys handling this to keep node JS these code protected with electron and in my case On windows environment

Any advice would be greatly appreciated much thanks

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

tl;dr You can and it is not worth the effort. Just pack your source into an asar file, it keeps most people away from it.

Long answer:

  • Use the asar option when building your app.
  • Obfuscate the code with an uglifier.
  • Use WASM
  • Language bindings to grab your data from a compiled format
    • neonjs for Rust
    • edge-js for C#
    • N-API, NAN for C/C++

Otherwise, your files are scripts, all these steps only slow down an attacker (tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your obfuscated code, it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)

If you want to protect yourself from code manipulation, there are better ways to do it, like Hashing, Context Isolation etc. Electron has a whole chapter on the matter.

https://github.com/electron/electron/blob/master/docs/tutorial/security.md

Small Update (2020):

I've seen this library a few weeks ago and thought it would show a nice way to further obfuscate the code from being read by external parties

https://github.com/OsamaAbbas/bytenode

The basic idea is to compile the JS into bytecode for V8. This works very well for Electron and is definitely a hurdle not everyone will get over. But, this will not protect your code from being turned back into readable JS. It's just another layer of protection to make it more difficult.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...