Python exe - how can I restrict viewing source and byte code?

Question

I'm making a simple project where I will have a downloadable scraper on an HTML website. The scraper is made in Python and is converted to a .exe file for downloading purposes. Inside the python code, however, I included a Google app password to an email account, because the scraper sends an email and I need the server to login with an available Google account. Whilst .exe files are hard to get source code for, I've seen that there are ways to do so, and I'm wondering, how could I make it so that anyone who has downloaded the scraper.exe file cannot see the email login details that I will be using to send them an email when the scraper needs to? If possible, maybe even block them from accessing any of the .exe source code or bytecode altogether? I'm using the Python libraries bs4 and requests.

Additionally, this is off-topic, however, as it is my first time developing a downloadable file, even whilst converting the Python file to a .exe file, my antivirus picked it up as a suspicious file. This is like a 50 line web scraper and obviously doesn't have any malicious code within it. How can I make the code be less suspicious to antivirus programs?

Most 'big companies' won't hard code credentials in their app,but instead they will make the desktop app to connect to a web application and provide an encrypted key or token ,that will be decrypted on the server web app.As for purely desktop apps(no internet) many of them are indeed cracked(that dont mean on all cases that credentials are leaked).As for apps that if been cracked a lot of money is in the play,e.g. big games anti-tamper methodologies take place like Denuvo etc. — Ευάγγελος Γρηγορόπουλος, Mar 17 '21 at 13:54

Ευάγγελος Γρηγορόπουλος · Accepted Answer · 2021-03-17T12:32:55.707

Sadly even today,there is no perfect solution to this problem.

The ideal usecase is to provide this secret_password from web application,but in your case seems unlikelly since you are building a rather small desktop app.
The best and easiest way is to create a function providing this secret_password in a separate file,and compile this file with Cython,thing that will obcufate your script(and your secret_password) at a very good extend.Will this protect you from lets say Anonymous or a state security agency?No.Here comes the reasonable thinking about how secret and important really your password is and from who you mainly can be harmed. Finally before compiling you can 'salt' your script or further obscufate it with bcrypt or other libaries.

As for your second question antiviruses and specifically windows don't like programms running without installers and unsigned. You can use inno setup to create a real life program installer. If you want to deal with UAC or other issues related to unsigned programms you can sign your programm(will cost money).

The user can just run the separate file and call the function directly to get the password? — Jiří Baum, Mar 17 '21 at 12:51
I mean, the extension can be loaded into a generic Python interpreter, then called directly. — Jiří Baum, Mar 17 '21 at 12:54

score 0 · Answer 2 · answered Mar 17 '21 at 12:44

0

Firstly, why is it even sending them an email? Since they'll be running the .exe, it can pop up a window and offer to save the file. If an email must be sent, it can be from the user's gmail rather than yours.
Secondly, using your gmail account in this way may be against the terms of service. You could get your account suspended, and it may technically be a felony in the US. Consult a lawyer if this is a concern.
To your question, there's basically no way to obfuscate the password that will be more than a mild annoyance to anyone with the least interest. At the end of the day, (a) the script runs under the control of the user, potentially in a VM or a container, potentially with network communications captured; and (b) at some point it has to decrypt and send the password. Decoding and following either the script, or the network communications that it makes will be relatively straightforward for anyone who wants to put in quite modest effort.

answered Mar 17 '21 at 12:44

Jiří Baum

6,697
2
17
17

It's sending an email to notify that a price on an item has dropped. I would love for the user to use their own but that would require another section for login details and such, and I would prefer it to come from an email with the same name as the desktop app. In the python code, I am using server.starttls(), which encrypts the connection, however I'm still worried that someone with bad intent could grab the app password from the bytecode. In the simplest way, how do big companies send mass emails to their users if this problem hasn't been solved? – Mar 17 '21 at 13:36
Encryption won't help much if the other end is actually the user's server rather than Google. – Jiří Baum Mar 18 '21 at 00:34
Big companies that send mass emails send them from their own systems, under their control, not from a user's system. – Jiří Baum Mar 18 '21 at 00:35
This question feels like an "[XY problem](https://meta.stackexchange.com/a/233676/948677)"; you're asking about obfuscating binaries, but it feels like the real problem you're trying to solve lies elsewhere. Why send an e-mail, when your app is already running on the user's computer and can pop up an alert? If you want to send an e-mail, why run on the user's computer, rather than a server? It feels like reviewing somewhat wider may be more fruitful than focusing on the narrow question... – Jiří Baum Mar 18 '21 at 07:19

Python exe - how can I restrict viewing source and byte code?

2 Answers2