ElectronJS代码保护2018 [英] ElectronJS code protection 2018
问题描述
我将开始创建基于Windows的实用程序应用程序以管理本地化expressjs服务器的过程,该服务器将利用基于Windows的图形化应用程序来管理此服务的某些功能
I am about to begin the process of creating a Windows-based utility app to manage localized expressjs server that will utilize a graphical Windows based application to manage some of the features of this service
但是,在我开始之前,我想与社区交谈,以寻求一些建议,关于如何正确保护代码的建议,因为所有代码都是节点JS蜜蜂,我需要确保它受到保护,并且其中一些在线初步阅读似乎表明,使用电子不是最安全的方式,这就是说,你们是如何处理才能使节点JS保持这些代码受电子保护的,在我的情况下,是在Windows环境中进行的
however before I begin I would like to speak with the community to try to get some advice Advice on how to properly protect the code since it will all be node JS bees I need to make sure it’s protected and some of my initial reading online seems to show that using electron by not be the most Safeway saw that being said how are you guys handling this to keep node JS these code protected with electron and in my case On windows environment
任何建议将不胜感激
推荐答案
tl; dr您可以,但不值得努力。只需将您的源文件打包到 asar 文件中,即可使大多数人远离它。
tl;dr You can and it is not worth the effort. Just pack your source into an asar file, it keeps most people away from it.
长答案:
- 在构建应用时使用
asar选项。 - 使用uglifier。
- 使用WASM
- 语言绑定从编译格式中获取数据
- neonjs for Rust
- edge-js for C#
- N-API,NAN for C / C ++
- Use the
asaroption when building your app. - Obfuscate the code with an uglifier.
- Use WASM
- Language bindings to grab your data from a compiled format
- neonjs for Rust
- edge-js for C#
- N-API, NAN for C/C++
否则,您的文件是脚本,所有这些步骤只会减慢攻击者的速度(许多防御策略),但不会阻止他们访问它们。 devTools很容易打开,人们将能够以某种方式,形状或形式阅读代码。而且,如果有人得到了您的混淆代码,则可以很容易地重建正在发生的事情(请参阅此处以供参考: https://www.youtube.com/watch?v=y6Uzinz3DRU )
Otherwise, your files are scripts, all these steps only slow down an attacker (tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your obfuscated code, it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)
如果您想保护自己免受代码操纵,有更好的方法,例如哈希,上下文隔离等。Electron在此问题上有一整章。
If you want to protect yourself from code manipulation, there are better ways to do it, like Hashing, Context Isolation etc. Electron has a whole chapter on the matter.
> https://github.com/electron/electron/blob/master/docs/tutorial/security.md
小更新(2020年):
几周前我已经看到了这个库,并认为它将显示出一种很好的方法来进一步使代码不被读取
I've seen this library a few weeks ago and thought it would show a nice way to further obfuscate the code from being read by external parties
https://github.com/OsamaAbbas/bytenode
基本思想是编译将JS转换为V8的字节码。这对Electron来说非常有效,而且绝对是一个障碍,并非所有人都能克服。 但是,这不会保护您的代码不被转换回可读的JS。这只是使其变得更加困难的另一层保护。
The basic idea is to compile the JS into bytecode for V8. This works very well for Electron and is definitely a hurdle not everyone will get over. But, this will not protect your code from being turned back into readable JS. It's just another layer of protection to make it more difficult.
这篇关于ElectronJS代码保护2018的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
