I use a third party obfuscator for the code.js file when publishing my webapp. For years, I thought this was really smart and no one could see how the javascript code was written. (I always used plain text code.js file for debugging.)
Horsing around today, I opened the webapp in the Chrome Developers mode and low and behold, there’s the obfuscated javascript in plain text. I guess this makes sense, but I had never thought of this before.
So, I have to assume any obfuscated javascript code in the code.js can easily be seen in the Chrome debugger… Maybe there’s another way around this? If not, then there is no convenient way to hide the code.js file.
This question will take a bit of research. Could you clarify the following:
What do you mean by “there’s the obfuscated javascript in plain text”? Do you just mean that the obfuscated code is readable, or are you seeing an unexpected text file?
What is the difference in what you are seeing versus what you expected to see?
Support,
I appreciate your interest in this. Let me explain the situation in a little more detail.
I prepare a Webapp using AppStudio. If I am having problems, I can debug the program step by step using the Chrome browser in Developer Mode.
Once the program is done, the last step is to obfuscate the code.js file created by AppStudio. I use a third-party program (even though AppStudio has a built-in obfuscator) to obfuscate the program.
This is what the code.js looks like after obfuscation:
The rest of the lines of code above I deleted for brevaty.
Normally, this is the end of the process. I transfer the AppStudio project to my server.
Today, however, I opened the obfuscated webapp from my server in Developer Mode on my Chrome browser. The browser partially decodes the code.js file, and it looks like this:
//////////////////////////////////////////////
Obfuscator 4.3
by Rodney Wirtz
//////////////////////////////////////////////
eval((function(x) {
var d = “”;
var p = 0;
while (p < x.length) {
if (x.charAt(p) != “") d += x.charAt(p++); else { var l = x.charCodeAt(p + 3) - 28; if (l > 4) d += d.substr(d.length - x.charCodeAt(p + 1) * 96 - x.charCodeAt(p + 2) + 3104 - l, l); else d += "”;
p += 4
}
}
return d
}
)("frmLogin.onshow = function () {LabelVersion.text = s )#;};btnCheckPassword.onclick W,if (txt >%value == \"\") {return;}req = Ajax(\"p D#9.php?myPW=" + T-);if (req.status == 200) {sAnswer = req.responseText N! 6%= \"yes\") {NSB.MsgBox(\" ~$ Accepted", 0, "Information");NewDate = DateAdd("d", 30, '&s T"new/!));localStorage.setItem(\"UACExpDate\", r#);iDays = 30;ChangeForm(frmCasting);#6$ else!n3Fail!l3 W$ K1roblem with Server Computer. Y1}};!R&%}3lblDaysLeft&+$\""A!Left: " + `"Q!;timeRef =
The rest of the lines of code above I deleted for brevaty.
This is still obfuscated as display in the code.js tree:
So, I could scroll through the complete code.js file in clear text, giving away all my secret routines.
The bottomline is this. I was surprised that I could see my clear text code.js code using the Chrome Developers feature. I do not think anything can be done about this, BUT I was surprised to find the clear text.
Thanks for the clarification. Obfuscation is a bit of a cat and mouse game. Generally speaking, the free obfuscators only work so well and only hide so much. A lot of what’s hidden is done simply by minification and that’s pretty easy to undo. There are more advanced options out there, but in the end the JavaScript always needs to run in the browser, so the code in some form (even if it’s very hard to follow) is still there.
We have looked into options using Wasm. That can add an extra layer of work to determine what your secret algorithm is, but Wasm isn’t meant for obfuscation so in the end, a determined party can still disassemble your code and figure out what you’re doing.
The only way to really hide a secret algorithm is to put it on a secure server and have your JavaScript call out to that using fetch or Ajax. Even then, you have to make sure no one gains access to your server.
I do know that there are paid products out there that would make it much less likely you could recognize your code once chrome formats it nicely, but these products can lead to hard to debug problems and generally we don’t suggest that they’re used as any more of a deterrent than a white picket fence.
Thanks for your detailed and thorough reply. I will have to investigate your suggested Webassembly. I agree with your points and yes it is difficult to hide my secret algorithms…
I left out a step in my explanation. If you don’t mind I would like to add the missing step and show the summary one more time. Then we can drop the whole issue…
I thought I would test another program that converts pressures to different units. The code.js file is obfuscated.
I opened the webpage in the Chrome browser and selected Developer Tools.
On the right side I selected ‘Event Listener Breakpoints’ > ‘Mouse’ > ‘Click’
The program will now stop when the mouse is clicked.
Below is the resulting screen when I clicked the mouse.
“3 - The javascript program is shown in clear text.”
The Chrome browser decoded my obfuscated code and is executing straight javascript.
