Because of this, code obfuscators are on the rise. One of the newest kids on the block is JScrambler (https://jscrambler.com/) made by AuditMark (http://auditmark.com/).
Code obfuscator’s work but do they provide any value? Do they add any value, for security, protecting our intellectual property, etc.?
Obfuscated code is modified on purpose to make it harder to read and making it more difficult to analysis what the code really does. A key point here is this goal is a two way street. It can be for someone trying to protect their intellectual property or for malware trying to prevent its detection by anti virus/malware scanners. So our first point is obfuscated code can be used for and against us.
Code obfuscated makers say obfuscation provides the following benefits to its users…
- Prevent code reutilization.
- Prevent code modification.
- Prevent unauthorized code execution (piracy).
- Add another layer of security, by making it harder for attackers to interfere with your Web Application.
This last point is the most discussed point; does obfuscated code really provide a benefit as an added layer of security? Remember code obfuscation is NOT encryption.
Yes, obfuscated code does provide extra security. We know it can be broken/reverse engineered but the time and effort it takes does provide a temporarily determent to the causal hacker. In the long-run it will not protect your code.
Before using code obfuscation I think one of the first things we need to ask ourselves is “What are we trying to accomplish with code obfuscation?” with that question in mind here are a few guidelines.
- Never put sensitive information on the client (passwords, 'hidden" URLs, validation routines, encryption routines, etc).
- Understand that anything on a client can be compromised because you no longer have control.
- Any obfuscation of client-side code has to be un-done in order for the framework to process it... thus only providing only a marginal security improvement.
A few other resources:
https://developers.google.com/closure/compiler/docs/api-tutorial3 Compression provides obfuscation as a side-effect.