問題描述
我最近開發了一個帶有 electron 框架的應用程序,在閱讀了與電子 JavaScript 代碼相關的安全問題后,我現在擔心源代碼保護.
我的意思是即使應用程序是為生產而構建的,也可以對代碼進行逆向工程.我的應用程序包含許多關鍵信息,例如用于自動更新的 GitHub Private Token 等等.
我剛剛瀏覽了許多 SO 帖子,但沒有找到完美的答案,因此請解決問題.使用電子無法混淆javascript代碼或源代碼保護?然而,混淆并不能完全保護代碼,但它會使逆向工程變得復雜.如果有解決方法,請告訴我.我在電子的安全相關帖子中沒有找到比 tl;dr 更多的內容.
我通過 obfuscator 找到了一種混淆方法,但似乎它需要手動混淆,而對源代碼保護沒有什么像在 NW.js 有沒有更好的方法來實現呢?
我在 中型帖子上發現了一些有助于混淆的內容.但沒有找到任何關于源代碼保護的信息.
tl;dr 你可以,但不值得努力.只需打包您的來源
asar文件,它讓大多數人遠離它.長篷:
- 在構建應用時使用
asar選項.- 用丑陋的方法混淆代碼.
- 使用 WASM
- 語言綁定,用于從已編譯格式中獲取數據
- 用于 Rust 的 neonjs
- 用于 C# 的 edge-js
- N-API,用于 C/C++ 的 NAN
否則您的文件是腳本,所有這些步驟只會減慢攻擊者(許多防御的策略),但他們不會阻止他們從訪問它們.devTools 相當容易打開和人們將能夠以某種方式、形狀或形式閱讀代碼.和如果有人得到了你的混淆代碼,那么重建什么很簡單正在發生(請參閱此處以供參考:https://www.youtube.com/watch?v=y6Uzinz3DRU)p>
如果你想保護自己免受代碼操縱,有更好的方法來做到這一點.像散列,上下文隔離等電子關于這個問題有一整章.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
I recently developed an app with electron framework and am now worried about source code protection after reading security concerns related to electron javascript code.
I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token for AutoUpdate and much more.
I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.
I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js Is there any better way to achieve it?
I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.
tl;dr You can and it is not worth the effort. Just pack your source into a
asarfile, it keeps most people away from it.Long awnser:
- Use the
asaroption when building your app.- Obfuscating the code with a uglyfier.
- Use WASM
- Language bindings to grab your data from a compiled format
- neonjs for Rust
- edge-js for C#
- N-API, NAN for C/C++
Otherwise your files are scripts, all these steps only slow down a attacker (Tactic of many defenses), but they will not prevent them from accessing them. The devTools are fairly easy to get opened and people will be able to read the code in some way, shape or form. And if someone gets your Obfuscated code it is simple to reconstruct what is happening (see here for reference: https://www.youtube.com/watch?v=y6Uzinz3DRU)
If you want to protect yourself from code manipulation, there are better ways to do it. Like Hashing, Context Isolation etc. electron has a whole chapter on the matter.
https://github.com/electron/electron/blob/master/docs/tutorial/security.md
這篇關于如何在電子js中對源代碼進行混淆并保護源代碼的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!