2

If you had a pretty novel idea that involved a new algorithm. Like lets say you were the first person to think of orbitz.com or kayak.com (travel sites) and you were able to and wanted to implement all of the novel algorithm clientside in javascript.

Is it possible to obfuscate it 100% where you cant reverse engineer it like this reverse engineer javascript obfuscators , or are developers still forced to keep sensitive algorithms server side if they want to completely protect them (or at least have a better chance of doing so)?

Dan Pichelman
  • 13,773
  • 8
  • 42
  • 73
Frank Visaggio
  • 131
  • 1
  • 5
  • 11
    If something is running on a client's machine, a sufficiently determined and skilled person can *always* figure out what is going on. –  Jan 07 '15 at 05:08
  • 3
    Note that once a user gets something executable the all bets are off. This applies not only to javascript but also binary executables. I don't know if such things exist where you're from by over here you can buy cracked software in street markets. Cracking is merely the reverse engineering of DRM and figuring out how to disable or bypass them. Given enough motivation people are willing to convert binary bits to very hard to read assembly (sometimes by hand) to reverse engineer software. – slebetman Jan 07 '15 at 05:16
  • yeah i was thinking of ways to try and make clientside code non reverse engineerable or almost impossible and I am not sure its possible. I even went so far as to thinking about making it in arabic then obfuscating it, but that doesnt really buy you much. – Frank Visaggio Jan 07 '15 at 05:19

2 Answers2

28

Client-side Javascript cannot be secured - ever. If the browser can run it, that means that the Javascript instructions are 100% available to anyone who wants them.

You can compress and obscure the Javascript. That is merely an obstacle that any talented developer can get around with some extra investment of time. So, a novel algorithm cannot be protected in browser-based Javascript.

If you want an algorithm protected, it must reside on the server and be run there - delivering only results to the client, not delivering code to the client.

jfriend00
  • 3,572
  • 27
  • 18
19

If you want someone to be able to run a program, you have to give them the program. (Duh!) If you want the CPU to execute the program, the CPU has to understand the program. (Duh again.) Computers are stupid, much stupider than humans. Ergo, if the CPU can understand the program, a human can too.

One way would be to give your users both the program and the CPU. Make the computer a black box where they put something in and get something out, and that's it. Note, however, that this is hard. Game console designers spend millions, maybe billions on protecting their hardware and still they get cracked pretty fast. (And it's usually not nefarious crime syndicates selling pirated games, but curious students wanting to run Linux on their XBox.)

The better way is to give them neither: keep the computer and the program in your possession and simply offer a service.

Or, just don't worry about it.

Jörg W Mittag
  • 101,921
  • 24
  • 218
  • 318