I’m new here. So I’ve been coding for about 2 years now, mostly as a hobby. My 2 main languages are JavaScript and Lua. So I was wondering about obfuscation. I’m aware that everything on the client is beyond our control and for the most part we shouldn’t be fussing about protecting the client side but securing the server side. I’ve always managed to prioritize the latter first, but would also like to try and go as far as try and protect the client to the furthest extent possible.
Usually my front end code, HTML, CSS, JS, the JS is particularly small and lightweight so I obfuscated it and it didn’t really increase by much in file size. I also benched it and no noticeable performance drop usually arises when I obfuscate it. I’m curious, does obfuscating my JS file make reverse-engineering harder for those that want to try and fiddle with my source code? I’m aware that since the client is out of our control for the most part that it’s impossible to fully protect it. But I wonder how much does the obfuscation help, and how would the data look to someone sniffing around the browser compared to a non-obfuscated code?
Would appreciate your thoughts and constructive feedback. I hope to learn more from hearing from you guys! ^^
-
Given that the amount of minimized/obfuscated JavaScript in the world is astronomically large, the likelihood that many tools exist for un-obfuscating code is almost 100%.
That’s a fair point. However, I’ve seen that using some of those de-obfuscation tools aren’t always going to work. Sometimes they only de-obfuscate part of the code, more often I think they’ll fail to de-obfuscate the whole code properly, depending on the obfuscation that was used. I’m not too sure, but this is what I’ve seen on a few videos demonstrating some de-obfuscators.
Obfuscation is basically the best you can do. There are doobfuscators, but they can’t recover variable names, so all you get is the code structure, but it will still be hard to decipher the algorithms.
Yes, at least it’s kinda like saying, “Hey my code isn’t here for you to just take. If you want to take it, you’re gonna have to go through a tiresome process.” So does this mean that when they inspect on the browser, the data they see is different compared to a non-obfuscated code?
The variable and property names may be different, but a dedicated snoop can over time decode your software. Another good rule is when you’re trying to protect something with a tool like an obfuscator, assume that the person who wants to steal it considers it 10 times more valuable than you do.
Show 1 more comment