如何在Electronic JS中执行源代码的混淆并保护源代码 [英] How to perform obfuscation of source code and protect source in electron js
问题描述
我最近开发了一个具有 electron
框架的应用程序,并且在阅读了与电子javascript代码有关的安全性问题后,现在担心源代码的保护.
I recently developed an app with electron
framework and am now worried about source code protection after reading security concerns related to electron javascript code.
我的意思是,即使该应用程序是为生产而构建的,也可以对代码进行反向工程.我的应用程序包含许多重要信息,例如用于自动更新的 GitHub私有令牌
等.
I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token
for AutoUpdate and much more.
我刚刚经历了很多SO帖子,但没有找到完美的答案,因此可以解决问题.电子不可能对JavaScript代码或源代码进行混淆处理吗?但是,混淆并不能完全保护代码,但是会使逆向工程变得复杂.如果有解决方法,请告诉我.在电子安全相关的帖子中,我没有找到超过 tl; dr
的信息.
I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr
in the security-related post of the electron.
我通过 obfuscator 找到了一种混淆方法,但是似乎它需要手动混淆,并且对源代码保护的要求不高在 NW.js
中,有没有更好的方法来实现它?
I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js
Is there any better way to achieve it?
I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.
推荐答案
tl; dr可以,但不值得.只需将您的源代码打包到一个 asar
文件中,即可使大多数人远离它.
tl;dr You can and it is not worth the effort. Just pack your source into a asar
file, it keeps most people away from it.
长篷:
- 在构建应用时使用
asar
选项. - 用丑陋的代码混淆代码.
- 使用WASM
- 语言绑定可从已编译格式中获取数据
- neonjs for Rust
- edge-js for C#
- N-API,适用于C/C ++的NAN
否则,您的文件是脚本,所有这些步骤只会减慢攻击者的速度(多种防御策略),但不会阻止它们访问它们.devTools非常易于打开,人们将能够以某种方式,形状或形式阅读代码.而且,如果有人得到了您的混淆代码,则可以很容易地重构正在发生的事情(请参阅此处以供参考: https://www.youtube.com/watch?v=y6Uzinz3DRU )
Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)
如果您想保护自己免受代码操纵,则有更好的方法来做到这一点.像散列,上下文隔离等一样,电子在此问题上有一整章.
If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
这篇关于如何在Electronic JS中执行源代码的混淆并保护源代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!