15

I recently developed an app with electron framework and am now worried about source code protection after reading security concerns related to electron javascript code.

I mean reverse engineering of the code is possible even if the app is built for production. My application contains many critical information like GitHub Private Token for AutoUpdate and much more.

I just have gone through many SO post but didn't find the perfect answer so resolve the problem. Obfuscation of javascript code or source code protection is not possible with electron? However, Obfuscation doesn't protect the code completely but it can make reverse engineering complex. if there is a workaround for doing so, let me know. I didn't find more than tl;dr in the security-related post of the electron.

I found an obfuscation method by obfuscator but seems it's gonna need manual obfuscation and nothing much about the source code protection like in NW.js Is there any better way to achieve it?

I found something helpful for obfuscation on Medium post. but didn't find anything about source protection.

Improve this question
5
  • 4
    The first question should be: "If it is security critical - why do you need those on client side"? If something is really critical obfuscation is the wrong path - instead change your app in a way that it works without those credentials - e.g. externalize these data to an server on the Internet. Commented Sep 25, 2019 at 17:32
  • It seems impossible, consider a case of JWT token signature verification on the client-side, I have to store the JWT secret client side. In another case, consider i'm using Github provider for AutoUpdate and i have to have a GitHub Private repo token client side. I know Obfuscation does not solve problem completely but it may help to make it complex to find out such details. Commented Sep 25, 2019 at 17:37
  • 3
    There seems to be something wrong with your app. From what I know a JWT token is created on the authentication server, not by the client app. Therefore the client app does not need to "sign" a new JWT token and therefore has no need for a JWT signing key. Commented Sep 25, 2019 at 17:44
  • 1
    Ok, agree with you about JWT Token what about another token? Commented Sep 25, 2019 at 17:49
  • Even if you manage to obfuscate the code, there are tools like lelinhtinh.github.io/de4js that will automatically undo most of the obfuscation. You should assume that any data that is stored in the app can and will be read by a sufficiently motivated user. Commented Jul 7, 2021 at 5:36

3 Answers 3

Reset to default
14

You can use bytenode as mentioned is Nicolas Guérinet's answer.

However, the binary generated by bytenode CLI will give you runtime error when you try to use it in your electron project. The error will say something like:

"Invalid or incompatible cached data (cachedDataRejected)"

For the binary to work with electon, it must be generated by electron itself.

Here's how to get it working:

Let's say you want to protect main.js in a typical electron project.

Install bytenode

npm i bytenode

Rename main.js to something else, say temp.js.

Create a new main.js with the following code:

const { app, BrowserWindow } = require('electron')

function createWindow() {
    // Create the browser window.
    mainWindow = new BrowserWindow({
        width: 400,
        height: 200
    })

    //use bytenode to convert js files to jsc
    const bytenode = require("bytenode");
    let compiledFilename = bytenode.compileFile({
        filename: './temp.js',
        output: './main.jsc'
    });
    //convert other Node.js files as required
}

app.whenReady().then(() => {
    createWindow()
})

Now run your electron project. When the blank window appears, look into you project directory, you will find the main.jsc file.

Change your main.js to the following three line code:

const bytenode = require('bytenode'); 
const myFile = require('./main.jsc'); 
myFile;

Remove your nodejs source file (temp.js) from your project and build your project.

You can also minify and obfuscate your code before converting it to jsc.

Credits to https://github.com/mapleby for his posts at https://github.com/bytenode/bytenode/issues/63. I have adapted his idea to get it working.

This will make is significantly more difficult for someone to reverse engineer your code but it will still be possible.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Image
Thanks, thats was the reason because fail only when I run the application at make build.
13

There is a library called bytenode which allows you to convert your Javascript files into binary files so that no one can read it.

First, install bytenode on your server and in your folder:

>npm i -g bytenode
>npm i bytenode

Create a normal nodeJS file with the following code in it. Let's imagine we name the following code ok.js:

console.log('bytenode works');

Then, compile your javascript code. The command will create a .JSC file with the same name as your file.

user@machine:~$ bytenode -c ok.js

Then, in a main JS file, you will call your binary. Let's call it test.js:

const bytenode = require('bytenode'); 
const myFile=require('./ok.jsc'); 
myFile;

Save it.

Then, you will call test.js: node test.js to test it. Do a cat ok.jsc to see that it is really a binary and that nobody can see your code. You can move your original plain test.js file to another location.

Improve this answer

3 Comments

Image
This won't work in the Electron client code
Image
You can indeed bytenode your electron code. :)
Image
See my answer on how to make it work with electron.
1

If you're referring to code that you for some reason must have on the client-side, then obfuscation can definitely help. There's no such thing as obfuscation that's impossible to defeat; however, it can raise the cost of de-obfuscation to a point where it's just not worth it for attackers.

The OWASP Mobile Top 10 2016-M9-Reverse Engineering mentions this: "In order to prevent effective reverse engineering, you must use an obfuscation tool". Then you also may benefit from runtime self-protection, which you can also find on the OWASP list: "The mobile app must be able to detect at runtime that code has been added or changed from what it knows about its integrity at compile time. The app must be able to react appropriately at runtime to a code integrity violation".

When comparing different obfuscators, it's critical to check if they provide support and documentation and ensure that the company behind them won't add malware and hide it in the obfuscated code. Here's where free obfuscators often come short.

Check Jscrambler for an enterprise solution. They support Electron and the full list of their obfuscation transformations is available here.

Improve this answer

1 Comment

Image
Thanks for a helpful answer, However, I'm not looking for an enterprise solution. I'm looking for open source or integrated with electron ti self. You may also suggest freeware.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.