subject:"Re\: \[qooxdoo\-devel\] How to hide my Application.js code in distributed app...how to distribute binary versions"

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

2014-04-02 Thread John Spackman

Hi Vishal

I see the argument, and there’s a commercial project I came across just last
week (ironically) at [1] that does exactly that.

IMHO the hard parts about implementing one is that most peoples obfuscation
needs are probably met by typical minification, and as Tobias says there is
risk of the process having a negative effect on your app.  Minified code is
hard to debug at the best of times, obfuscated code would be worse, and
implementing a static parser that understand the subtleties of a language is
no small task in the first place.

I don’t want to put you off though, I’d be very interested to see what you
find, either as existing open source projects or if you take it on yourself

[1] https://jscrambler.com/

John

From:  Vishal 
Reply-To:  qooxdoo Development 
Date:  Monday, 31 March 2014 10:46
To:  qooxdoo Development 
Subject:  Re: [qooxdoo-devel] How to hide my Application.js code in
distributed app...how to distribute binary versions

Hi John,

That is true, I agree with what you have said.

Given enough time and money (read as "dedication") ...almost everything is
possible...for the dedicated.
Nonetheless, following the same line of thought as above, we should, as
designers of industrial strength commercial apps, make all possible efforts
to extend the time and money required for reverse engineering,
asymptotically to infinity.

I was thinking of a contrib that can do this for QooxDoo specfically and
JavaScript in general.

As far as the case of browser seeing the javascript and so the user seeing
it inturn is concernedin this case, its running in a headless browser
hosted inside a GUI window, so inspection tool options, such as "View Page
Source", "View Page Info" or "Inspect Element", are NOT available. Will it
still be possible for my user to see what is going on behind the user
Interface...Am I looking at it too simplistically ??

Thanks and best regards,
Vishal Sapre

Thanks and best regards,
Vishal Sapre

---
"Life is 10% how you make it, and 90% how you take it"
"बहुजन हिताय, बहुजन सुखाय (Benefit for most people, Happiness for most
people.)"
---
Please DONT print this email, unless you really need to. Save Energy &
Paper. Save the Earth.

On Mon, Mar 31, 2014 at 4:08 PM, John Spackman 
wrote:
> But at some point that BSON has to be decoded into Javascript in order for the
> browser to run it, and if the browser can read it then so can a malicious
> individual.  OK it’s obfuscated, but there will be tools to help de-obfuscate
> it.  The bottom line is that you cannot prevent people from seeing what your
> app does, given enough time and dedication.
> 
> John
> 
> From:  Vishal 
> Reply-To:  qooxdoo Development 
> Date:  Monday, 31 March 2014 08:34
> To:  qooxdoo Development 
> Subject:  Re: [qooxdoo-devel] How to hide my Application.js code in
> distributed app...how to distribute binary versions
> 
> 
> Hi Tobi,
> 
> I agree with you 'mostly'.
>  
> I guess one way to make it more opaque is to code numbers instead of strings,
> when it comes to sensitive data about hardware that is being managed by this
> front end app...I will try that out.
> 
> For the sake of curiosity, however, it should be possible to pack all the
> minified application code into a BSON object which gets pushed into a regular
> javascript attribute of the top level script, and then at run time decode the
> BSON into regular JavaScript and get the app going ?
> 
> Better still, all users to push their own binary schema to create the binary
> represenation.
> 
> Any soul up for the challenge? :)
> 
> Take care,
> Vishal Sapre
> 
> 
> Thanks and best regards,
> Vishal Sapre
> 
> 
> On Mon, Mar 31, 2014 at 1:12 PM, Tobias Oetiker  wrote:
>> Hi Vishal,
>> 
>> Saturday Vishal wrote:
>> 
>>> > Hello,
>>> >
>>> > My app involves distributing the qooxdoo client to the user, and I would
>>> > like to hide my code.
>>> >
>>> > How to do this?
>>> >
>>> > I see that in build version, a single .js will be created and
>>> > it will be minified as well.
>>> > However, is there a way to convert all of this into a binary file.
>>> > Something like BSON <http://bsonspec.org/>.
>> 
>> I seriously doubt that anyone would go to the extent to reverse
>> engineering your javascript frontend code ... I think all attempts
>> at obfuscation will simply introduce more problems for you and your
>> legitemate customers as things will fail in odd cases introduced
>> by the modifications.
>> 
>> cheers
>> tobi
>> 
>> --
>> Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

2014-03-31 Thread Vishal

Hi John,

That is true, I agree with what you have said.

Given enough time and money (read as "dedication") ...almost everything is
possible...for the dedicated.
Nonetheless, following the same line of thought as above, we should, as
designers of industrial strength commercial apps, make all possible efforts
to extend the time and money required for reverse engineering,
asymptotically to infinity.

I was thinking of a contrib that can do this for QooxDoo specfically and
JavaScript in general.

As far as the case of browser seeing the javascript and so the user seeing
it inturn is concernedin this case, its running in a headless browser
hosted inside a GUI window, so inspection tool options, such as "View Page
Source", "View Page Info" or "Inspect Element", are NOT available. Will it
still be possible for my user to see what is going on behind the user
Interface...Am I looking at it too simplistically ??

Thanks and best regards,
Vishal Sapre







Thanks and best regards,
Vishal Sapre

---
"Life is 10% how you make it, and 90% how you take it"
"बहुजन हिताय, बहुजन सुखाय (Benefit for most people, Happiness for most
people.)"
---
Please DONT print this email, unless you really need to. Save Energy &
Paper. Save the Earth.


On Mon, Mar 31, 2014 at 4:08 PM, John Spackman wrote:

> But at some point that BSON has to be decoded into Javascript in order for
> the browser to run it, and if the browser can read it then so can a
> malicious individual.  OK it’s obfuscated, but there will be tools to help
> de-obfuscate it.  The bottom line is that you cannot prevent people from
> seeing what your app does, given enough time and dedication.
>
> John
>
> From: Vishal 
> Reply-To: qooxdoo Development 
> Date: Monday, 31 March 2014 08:34
> To: qooxdoo Development 
> Subject: Re: [qooxdoo-devel] How to hide my Application.js code in
> distributed app...how to distribute binary versions
>
>
> Hi Tobi,
>
> I agree with you 'mostly'.
>
> I guess one way to make it more opaque is to code numbers instead of
> strings, when it comes to sensitive data about hardware that is being
> managed by this front end app...I will try that out.
>
> For the sake of curiosity, however, it should be possible to pack all the
> minified application code into a BSON object which gets pushed into a
> regular javascript attribute of the top level script, and then at run time
> decode the BSON into regular JavaScript and get the app going ?
>
> Better still, all users to push their own binary schema to create the
> binary represenation.
>
> Any soul up for the challenge? :)
>
> Take care,
> Vishal Sapre
>
>
> Thanks and best regards,
> Vishal Sapre
>
>
> On Mon, Mar 31, 2014 at 1:12 PM, Tobias Oetiker  wrote:
>
>> Hi Vishal,
>>
>> Saturday Vishal wrote:
>>
>> > Hello,
>> >
>> > My app involves distributing the qooxdoo client to the user, and I would
>> > like to hide my code.
>> >
>> > How to do this?
>> >
>> > I see that in build version, a single .js will be created
>> and
>> > it will be minified as well.
>> > However, is there a way to convert all of this into a binary file.
>> > Something like BSON <http://bsonspec.org/>.
>>
>> I seriously doubt that anyone would go to the extent to reverse
>> engineering your javascript frontend code ... I think all attempts
>> at obfuscation will simply introduce more problems for you and your
>> legitemate customers as things will fail in odd cases introduced
>> by the modifications.
>>
>> cheers
>> tobi
>>
>> --
>> Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
>> www.oetiker.ch [email protected] +41 62 775 9902
>> *** We are hiring IT staff: www.oetiker.ch/jobs ***
>>
>>
>> --
>> ___
>> qooxdoo-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
>>
>
> --
> ___ qooxdoo-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
>
>
> --
>
> ___
> qooxdoo-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
>
>
--
___
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

2014-03-31 Thread John Spackman

But at some point that BSON has to be decoded into Javascript in order for
the browser to run it, and if the browser can read it then so can a
malicious individual.  OK it¹s obfuscated, but there will be tools to help
de-obfuscate it.  The bottom line is that you cannot prevent people from
seeing what your app does, given enough time and dedication.

John

From:  Vishal 
Reply-To:  qooxdoo Development 
Date:  Monday, 31 March 2014 08:34
To:  qooxdoo Development 
Subject:  Re: [qooxdoo-devel] How to hide my Application.js code in
distributed app...how to distribute binary versions

Hi Tobi,

I agree with you 'mostly'.

I guess one way to make it more opaque is to code numbers instead of
strings, when it comes to sensitive data about hardware that is being
managed by this front end app...I will try that out.

For the sake of curiosity, however, it should be possible to pack all the
minified application code into a BSON object which gets pushed into a
regular javascript attribute of the top level script, and then at run time
decode the BSON into regular JavaScript and get the app going ?

Better still, all users to push their own binary schema to create the binary
represenation.

Any soul up for the challenge? :)

Take care,
Vishal Sapre

Thanks and best regards,
Vishal Sapre

On Mon, Mar 31, 2014 at 1:12 PM, Tobias Oetiker  wrote:
> Hi Vishal,
> 
> Saturday Vishal wrote:
> 
>> > Hello,
>> >
>> > My app involves distributing the qooxdoo client to the user, and I would
>> > like to hide my code.
>> >
>> > How to do this?
>> >
>> > I see that in build version, a single .js will be created and
>> > it will be minified as well.
>> > However, is there a way to convert all of this into a binary file.
>> > Something like BSON <http://bsonspec.org/>.
> 
> I seriously doubt that anyone would go to the extent to reverse
> engineering your javascript frontend code ... I think all attempts
> at obfuscation will simply introduce more problems for you and your
> legitemate customers as things will fail in odd cases introduced
> by the modifications.
> 
> cheers
> tobi
> 
> --
> Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
> www.oetiker.ch <http://www.oetiker.ch>  [email protected] +41 62 775 9902
> 
> *** We are hiring IT staff: www.oetiker.ch/jobs <http://www.oetiker.ch/jobs>
> ***
> 
> --
> ___
> qooxdoo-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

-- ___ qooxdoo-devel mailing
list [email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

--
___
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

2014-03-31 Thread Vishal

Hi Tobi,

I agree with you 'mostly'.

I guess one way to make it more opaque is to code numbers instead of
strings, when it comes to sensitive data about hardware that is being
managed by this front end app...I will try that out.

For the sake of curiosity, however, it should be possible to pack all the
minified application code into a BSON object which gets pushed into a
regular javascript attribute of the top level script, and then at run time
decode the BSON into regular JavaScript and get the app going ?

Better still, all users to push their own binary schema to create the
binary represenation.

Any soul up for the challenge? :)

Take care,
Vishal Sapre

Thanks and best regards,
Vishal Sapre

On Mon, Mar 31, 2014 at 1:12 PM, Tobias Oetiker  wrote:

> Hi Vishal,
>
> Saturday Vishal wrote:
>
> > Hello,
> >
> > My app involves distributing the qooxdoo client to the user, and I would
> > like to hide my code.
> >
> > How to do this?
> >
> > I see that in build version, a single .js will be created
> and
> > it will be minified as well.
> > However, is there a way to convert all of this into a binary file.
> > Something like BSON .
>
> I seriously doubt that anyone would go to the extent to reverse
> engineering your javascript frontend code ... I think all attempts
> at obfuscation will simply introduce more problems for you and your
> legitemate customers as things will fail in odd cases introduced
> by the modifications.
>
> cheers
> tobi
>
> --
> Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
> www.oetiker.ch [email protected] +41 62 775 9902
> *** We are hiring IT staff: www.oetiker.ch/jobs ***
>
>
> --
> ___
> qooxdoo-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
>
--
___
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

2014-03-31 Thread Tobias Oetiker

Hi Vishal,

Saturday Vishal wrote:

> Hello,
>
> My app involves distributing the qooxdoo client to the user, and I would
> like to hide my code.
>
> How to do this?
>
> I see that in build version, a single .js will be created and
> it will be minified as well.
> However, is there a way to convert all of this into a binary file.
> Something like BSON .

I seriously doubt that anyone would go to the extent to reverse
engineering your javascript frontend code ... I think all attempts
at obfuscation will simply introduce more problems for you and your
legitemate customers as things will fail in odd cases introduced
by the modifications.

cheers
tobi

-- 
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
www.oetiker.ch [email protected] +41 62 775 9902
*** We are hiring IT staff: www.oetiker.ch/jobs ***

--
___
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

Re: [qooxdoo-devel] How to hide my Application.js code in distributed app...how to distribute binary versions

5 matches

Site Navigation

Mail list logo

Footer information