Blog Entry - 4th July 2007 - Programming - JavaScript

JavaScript Obfuscation - Just Say No


So, you have just created the most imaginative, clever, complex javascript conceivable; it has taken you a lot of time to write; and you are probably using it for some form of client application running in a browser.

Time to think about protecting all that hard work through obfuscation?

I thought so once; then I thought twice.

What is obfuscation?

obfuscation is making your code harder to read; including by replacing meaningful identifiers (names) with meaningless ones. The code resulting code is still valid code which can be run.

It is not hiding javascript. Hiding means attempting to have the browser load and parse the JavaScript but at the same time stopping the client from seeing JavaScript at all. There have been many attempts at this; but I am not aware so far of any completely successful one; they just vary in their difficulty to overcome. It remains a fact that the JavaScript must get into your computer to be run by the browser; and if it is on in your computer, you should be able to lay your hands on it in some way. Attempts have been made, for fun : Hackers Wanted.

It is not compilation. Compilation is the creation of byte code or binary.

It is not encryption. Encryption converts the code to a meaningless stream of characters, and requires a decryption step before the code can be run. It fails because the client also needs the decryption key, otherwise how is the client to decyrpt and run the JavaScript? Windows Script Encoder is of no use; a quick search will find you a number of decoders.

It is not compression. Compression expresses the code in fewer characters; but often retains the original code information and identifiers, which can easily be retrieved by running the decompression function on the code.

Does it really provide security?

If the JavaScript can be inspected, it can be reverse engineered. There are applications out there that can make the JavaScript look pretty readable again (but for variable names); and a suffiently skillful, experienced and determined programmer (you know, the sort you might like to hide your code from) will probably be able to discern the essential features of your code without too much effort.

Does you really need security?

There is probably little that is completely original, that has not already been done by others and made available open source. There are a large number of open source JavaScript libraries and frameworks.

There is also probably little again that your suffiently skillful, experienced and determined programmer could not re-invent for themselves.

Will the community approve?

Obfuscation will not make you many friends.

See some of the discussion at comp.lang.javascript:-

Thread1

Thread2

Should I trust you?

If I am to download your script into my browser, am I prepared to trust you if I am unable to read the script?

Is it worth the effort?

There are a lot of potential technical pitfalls / headaches which await the would-be obfuscator. Is it worth all that stress?

For instance:-

  • If you remove line breaks, then mind your semi-colons.
  • You need to avoid accidentally obfuscating DOM names such as "document", "body" etc.
  • If your code is in more than one file, how do you ensure the same obfuscated names are used accross all files?

If you get an error, it feels like a needle in a very big haystack.

Is there an alternative?

If the code needs to be kept secure, either to protect your work, or to conceal a secret business process, can it be left on the server instead? Why does it need to be downloaded to the client?

Alternatively, perhaps you could look at creating a Java applet, which has some protection, being expressed as it is in byte code.

Or just bite the bullet, and develop a native binary executable. A programmer friend was asked to create a web application (which would operate by communicating with a remote server over the internet) for a customer, with local storage abilities, which could be distributed on a CD for PC users. Having looked at the browser and associated JavaScript frameworks and Flash and Silverlight plug-ins, runtimes such as Java and .NET etc, it seemed to be the case that the best and most reliable option would be to develop a stand-alone Win32 application using Delphi.

Do you want compression instead?

Perhaps all you really need is to compress your JavaScript.

JSMin

Dean Edwards' Packer

Still not convinced?

Ok, ok, you get the point.

Still interested?

Well there are plenty of commercial offerings on the market place, and some are probably very good. But you will have to reach your own opinion.

If you want to dip your toes in, then have a play with my very rough, very old, very slow, very untested JavaScript obfuscator, and see how hard it is for yourself.

ObscuraButty(v3) - 2004

It is undocumented, unsupported, and will only run in Internet Explorer 6. It is about a 250k download, and, guess what, I did not obfuscate it, so you can see how it works; although my code is a spagetti mess, so you might think it was obfuscated!

It is not a windows application, despite the look and feel. I once started writing my own web-application framework; then I discovered some others (e.g. Bindows); so I gave up.

You are licensed to use this for home and commercial evaluation puposes only. It may not be used for business purposes, or for code destined to be used in a business.

But remember - you use it entirely at your own risk.


Comment(s)


Sorry, comments have been suspended. Too much offensive comment spam is causing the site to be blocked by firewalls (which ironically therefore defeats the point of posting spam in the first place!). I don't get that many comments anyway, so I am going to look at a better way of managing the comment spam before reinstating the comments.


Leave a comment ...


{{PREVIEW}} Comments stopped temporarily due to attack from comment spammers.