問(wèn)題描述
我最近開發(fā)了一個(gè)帶有 electron 框架的應(yīng)用程序,在閱讀了與電子 JavaScript 代碼相關(guān)的安全問(wèn)題后,我現(xiàn)在擔(dān)心源代碼保護(hù).
我的意思是即使應(yīng)用程序是為生產(chǎn)而構(gòu)建的,也可以對(duì)代碼進(jìn)行逆向工程.我的應(yīng)用程序包含許多關(guān)鍵信息,例如用于自動(dòng)更新的 GitHub Private Token 等等.
我剛剛瀏覽了許多 SO 帖子,但沒(méi)有找到完美的答案,因此請(qǐng)解決問(wèn)題.使用電子無(wú)法混淆javascript代碼或源代碼保護(hù)?然而,混淆并不能完全保護(hù)代碼,但它會(huì)使逆向工程變得復(fù)雜.如果有解決方法,請(qǐng)告訴我.我在電子的安全相關(guān)帖子中沒(méi)有找到比 tl;dr 更多的內(nèi)容.
我通過(guò) obfuscator 找到了一種混淆方法,但似乎它需要手動(dòng)混淆,而對(duì)源代碼保護(hù)沒(méi)有什么像在 NW.js 有沒(méi)有更好的方法來(lái)實(shí)現(xiàn)呢?
我在 中型帖子上發(fā)現(xiàn)了一些有助于混淆的內(nèi)容.但沒(méi)有找到任何關(guān)于源代碼保護(hù)的信息.
tl;dr 你可以,但不值得努力.只需打包您的來(lái)源
asar文件,它讓大多數(shù)人遠(yuǎn)離它.長(zhǎng)篷:
- 在構(gòu)建應(yīng)用時(shí)使用
asar選項(xiàng).- 用丑陋的方法混淆代碼.
- 使用 WASM
- 語(yǔ)言綁定,用于從已編譯格式中獲取數(shù)據(jù)
- 用于 Rust 的 neonjs
- 用于 C# 的 edge-js
- N-API,用于 C/C++ 的 NAN
否則您的文件是腳本,所有這些步驟只會(huì)減慢攻擊者(許多防御的策略),但他們不會(huì)阻止他們從訪問(wèn)它們.devTools 相當(dāng)容易打開和人們將能夠以某種方式、形狀或形式閱讀代碼.和如果有人得到了你的混淆代碼,那么重建什么很簡(jiǎn)單正在發(fā)生(請(qǐng)參閱此處以供參考:https://www.youtube.com/watch?v=y6Uzinz3DRU)p>
如果你想保護(hù)自己免受代碼操縱,有更好的方法來(lái)做到這一點(diǎn).像散列,上下文隔離等電子關(guān)于這個(gè)問(wèn)題有一整章.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
I recently developed an app with electron framework and am now worried about source code protection after reading security concerns related to electron javascript code.
I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token for AutoUpdate and much more.
I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.
I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js Is there any better way to achieve it?
I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.
tl;dr You can and it is not worth the effort. Just pack your source into a
asarfile, it keeps most people away from it.Long awnser:
- Use the
asaroption when building your app.- Obfuscating the code with a uglyfier.
- Use WASM
- Language bindings to grab your data from a compiled format
- neonjs for Rust
- edge-js for C#
- N-API, NAN for C/C++
Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)
If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
這篇關(guān)于如何在電子js中對(duì)源代碼進(jìn)行混淆并保護(hù)源代碼的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!