How to protect source code in electron project
Asked Answered
M

2

11

I build my first electron app but now I wonder how to protect the source code to be view by other developers.

The official doc says :

To protect your app's resources and source code from the users, you can choose to package your app into an asar archive with little changes to your source code.

So far the best I can think of is uglyfy the source-code and package it into a asar file, but the asar file is just an archive and can be easily be extracted. I don't see how having that make your code "protected from the user"

Any ideas ?

Milkmaid answered 11/5, 2015 at 12:6 Comment(1)
You would also need a way to protect against calls to toString which could display decrypted sources.Fractional
C
4

There is no official way to copy-protect your code at the moment, sorry - if you want to do this, you'll have to invent your own way (or just not worry about it)

Cook answered 13/5, 2015 at 4:13 Comment(4)
Yeah it is what I fearedMilkmaid
Is this still the case, 5 years later?Ean
@MarcoNoronha unfortunately yesCtenidium
Just use WebAssembly.Pietrek
P
3

It's impossible to fully protect the code, no matter how you package it, in order for it to be run it has to be accessible and decrypted which means the key has to be stored locally.

Consider this scenario;

The authors of the electron system and asar file format implement encryption similar to a password protected zip, and give you the ability to specify the archive password at compile time so that it is 'safely' stored inside the .exe and the asar file can't be opened/read without it.

A hacker could still figure out the key by compiling electron themselves with some test keys, for instance AAAA and AAAB, then comparing the resultant binary file to determine the location of the key string inside it. Once they know how to extract the key from the exe it's game over.

I guess the strongest protection you can make is if you modify the electron source code yourself to store and retrieve the key, but even then an attacker can decompile the code, compare it with a decompiled standard version of electron, figure out where your code modifications start and reverse engineer it until they figure out how you are storing the key.

Again, the moment they have the key, it's game over, and in order for electron to run any code it has to be able to read it which means it has to have the key available locally. Catch 22.

Presbyterian answered 16/9, 2016 at 19:34 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.