7

I want to Obfuscate + Minify my Angular JS code in order to not make it public and if someone tries to decode it, then make it a hurdle. Code is running up on the server.

Note: In future we are planning to shift http to https.

I have seen a lot of options like Gulp, Google Closure Compiler, UglifyJS etc and many tool which a user can download and obfuscate the code like jsob, javascript obfuscate etc.

I need a suggestion and have few questions.

  1. What is the more better approach apart from encryption?
  2. If I shift to https shall I still require obfuscations?
  3. What are the better and easy approaches with pros and cons?
  4. If I use a tool like JavaScript obfuscate, then what will be its pros and cons? Am I able to get It back, I mean decode?
  5. Or If someone is able to look into gulp file will it be easy to get my code?
Mishi
  • 628
  • 4
  • 16
  • 40
  • What exactly are you trying to stop the person looking through your code from discerning? do you have important secure things like passwords or private keys in it? or are you just trying to hide business logic? – haxxxton Jan 19 '17 at 08:27
  • 1
    Just trying to hide business logic and stop the person looking through your code. – Mishi Jan 19 '17 at 10:14

2 Answers2

14

1 - It really depends on what you are trying to achieve. If you really want to protect your code to hide your business logic, you should go for a resilient solution, instead of relying on a minification or obfuscation tool per se which is far too easy to defeat.

2 - Https simply means that the communication between your browser and website is encrypted. Https can also be decrypted, so it would make sense to apply other protection mechanisms

4 - JavaScript Obfuscator and several other tools do not protect the code, they are simple obfuscators and so they can be easily reversed in minutes and that's why some people think it's not worth protecting code on the client-side. In fact, you can get most of the original code using a simple JS optimizer. ClosureCompiler and UglifyJS have precisely this different approach, they reduce the size of the code and optimize it, they do not offer code protection.

3, 5 - I found this blog post from js13kGames competition creator quite useful for my case. He suggests a solution that seems to be more appropriate - Jscrambler. IMO you should give it a try as it combines code transformations with anti-debugging and anti-tampering features. You can also lock your code to a predefined list of domains or set an expiry date to deliver expirable demos, for example. Maybe it could be a fit for your case too as it supports Angular.

user7366409
  • 186
  • 1
  • 5
  • 3
    I confirm that Javascript Obfuscator is easy to reverse, contrary to Jscrambler which is more than an obfuscator. It employs multiple code protection techniques. – Alex Jan 20 '17 at 01:02
  • What to you think about YUI Compressor for AngularJS project's obfuscation and minification? – Mishi Jan 20 '17 at 05:52
  • 3
    YUI Compressor is a minifier, and like any other minifier (closure, uglifyjs, etc) is only meant to reduce the filesize and optimize the code. It won't help you protect at all. But these are easy to tell. The ones who are generally difficult to understand if they are any good are the obfuscators that use encoding/cripto. Most of them like jsfuck, whak.ca or javascript2img are easily reversed as well (see http://ooze.ninja/javascript/poisonjs/#). They are more recreational. Bottomline: you should always to do your own check. – Alex Jan 20 '17 at 10:00
1

I've found a nice solution using gulp-uglify. If you use implicit anotation, first use gulp-ng-annotate for not losing service names on uglify process.

MarcBilbo
  • 51
  • 1
  • 2