ElectronJS 代码保护 2018 [英] ElectronJS code protection 2018

问题描述

我即将开始创建基于 Windows 的实用程序应用程序来管理本地化 expressjs 服务器，该服务器将利用基于 Windows 的图形应用程序来管理此服务的一些功能

I am about to begin the process of creating a Windows-based utility app to manage localized expressjs server that will utilize a graphical Windows based application to manage some of the features of this service

然而，在我开始之前，我想与社区交谈，以尝试获得一些建议关于如何正确保护代码的建议，因为它都是节点 JS 蜜蜂，我需要确保它受到保护以及我的一些初步阅读网上似乎表明使用电子不是最安全的，看到有人说你们如何处理这个以保持节点 JS 这些代码受电子保护，在我的情况下在 windows 环境中

however before I begin I would like to speak with the community to try to get some advice Advice on how to properly protect the code since it will all be node JS bees I need to make sure it’s protected and some of my initial reading online seems to show that using electron by not be the most Safeway saw that being said how are you guys handling this to keep node JS these code protected with electron and in my case On windows environment

非常感谢任何建议

推荐答案

tl;dr 你可以，但不值得.只需将您的源代码打包到 asar 文件中，它就可以让大多数人远离它.

tl;dr You can and it is not worth the effort. Just pack your source into an asar file, it keeps most people away from it.

长答案:

• 在构建应用时使用 asar 选项.
• 使用 uglifier 混淆代码.
• 使用 WASM
• 语言绑定，用于从已编译格式中获取数据
  • 用于 Rust 的 neonjs
  • 用于 C# 的 edge-js
  • N-API，用于 C/C++ 的 NAN

  否则，您的文件是脚本，所有这些步骤只会减慢攻击者的速度(许多防御策略)，但不会阻止他们访问它们.devTools 相当容易打开，人们将能够以某种方式、形状或形式阅读代码.如果有人得到你的混淆代码，很容易重建正在发生的事情(请参阅此处以供参考:https://www.youtube.com/watch?v=y6Uzinz3DRU)

  Otherwise, your files are scripts, all these steps only slow down an attacker (tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your obfuscated code, it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)

  如果你想保护自己免受代码操纵，有更好的方法来做到这一点，比如散列、上下文隔离等.Electron 有一整章讨论这个问题.

  If you want to protect yourself from code manipulation, there are better ways to do it, like Hashing, Context Isolation etc. Electron has a whole chapter on the matter.

  https://github.com/electron/electron/blob/master/docs/tutorial/security.md

  小幅更新(2020 年):

  几周前我看到了这个库，并认为它会展示一种很好的方式来进一步混淆代码以防止被外部各方阅读

  I've seen this library a few weeks ago and thought it would show a nice way to further obfuscate the code from being read by external parties

  https://github.com/OsamaAbbas/bytenode

  基本思路是将JS编译成V8的字节码.这对 Electron 非常有效，而且绝对不是每个人都能克服的障碍.但是，这不会保护您的代码不被转回可读的 JS.这只是增加难度的另一层保护.

  The basic idea is to compile the JS into bytecode for V8. This works very well for Electron and is definitely a hurdle not everyone will get over. But, this will not protect your code from being turned back into readable JS. It's just another layer of protection to make it more difficult.

  这篇关于ElectronJS 代码保护 2018的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！