Protecting your source code from analysis and reuse by competitors
One day a client asked us to produce a special CD version of the website
we created for him (so that the web server and database server could be
run directly from a CD inserted in the user's computer). Finding a toolkit
on Google that would allow producing such a CD was rather easy. There are
several webservers on the market designed to run from CD; some even allow
the same CD to be used on several platforms, i.e. Windows, Mac OS X and
even Linux. That site used several dozens of PHP files we've created,
and to protect them, we used one of PHP encoders available on the market.
The site also used a lot of complex JavaScript code that was our important
intellectual property, so we were rather concerned by the fact that anyone
could take our JavaScript code and adapt it for use in their own projects.
We turned again to Google and found that there are special tools called
"obfuscators" that rename variables and functions to meaningless strings
like s2jE9j4RMt or names that are as short as possible, remove comments
and all extra space characters. It turned out that such tools exist for
almost all popular programming languages, including JavaScript. You can
see a sample list of such obfuscation tools for Javascript here. //--------------------------------------------------------------------------
// Here goes some comment with sensitive private information about the
code. //--------------------------------------------------------------------------
function CalculateSalary(aEmployees) { var nEmpIndex = 0; while (nEmpIndex
var oEmployee = aEmployees[nEmpIndex]; oEmployee.fSalary = CalculateBaseSalary(oEmployee.nType,
oEmployee.nWorkingHours); if (oEmployee.bBonusAllowed == true) { oEmployee.fBonus
= CalculateBonusSalary(oEmployee.nType, oEmployee.nWorkingHours, oEmployee.fSalary);
} else { oEmployee.fBonus = 0; } oEmployee.sSalaryColor = GetSalaryColor(oEmployee.fSalary
+ oEmployee.fBonus); nEmpIndex++; } }
Here is the obfuscated version of the same JavaScript code:
function c(g){var m=0;while(mg.length){var r=g[m]; r.l=d(r.n,r.o);if(r.j==
true){ r.k=e(r.n,r.o,r.l);}else{r.k=0;}r.t=f(r.l+r.k);m++;}}
As you can see, the obfuscated JavaScript code is extremely hard or impossible
to understand. Also, its size is much smaller, resulting in shorter download
times and less bandwidth used. browser. Some obfuscators provide even
more protection -- like uglification of names (using long meaningless names),
string and integer uglification and encoding of the result. The output
files such tools create are almost impossible for a human to understand.
Google itself also uses such an obfuscation tool to scramble and minimize
the size of JavaScript code in Gmail - just login to Gmail and examine
the source of webpages for yourself. Since that project, we've used obfuscation
to protect a lot of our projects, including obfuscation of ASP code. Several
tools exist even for obfuscation of PHP, Python, Perl and TCL languages,
so we feel much less nervous after discovering the safety obfuscation provides.
It turns out that some people are using obfuscators for protection of
source code written in compiled languages, like C#, Ada, C/C++ and Java.
There are companies selling cross-platform software that prefer to ship
it as obfuscated source code instead of providing executables for every
operating system; they expect customers to build their software on the
platform on which they wish to use it - for example FlexeLint for C/C++
by Gimpel Software is distributed as obfuscated C code. We are excited
by the increased safety obfuscation provides for our intellectual property,
and strongly recommend all developers use this technology! Happy developers
who use
obfuscation and encoding technologies.
This archive was generated by hypermail 2b30 : Wed Jul 26 2006 - 02:17:25 MEST