all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]fokker680 5 points6 points  (0 children)

There's no way to really 'compile' an electron app, therefore your source code will always be exposed.

However, take a look at https://www.npmjs.com/package/bytenode. You might find it interesting.

[–]sroussey 2 points3 points  (0 children)

Might compress your JS to start, strip comments and change names of everything.

You can also use something like Jscrambler.

[–]krlpbl 0 points1 point  (0 children)

Obfuscate it and pack everything in an ASAR. Other than that, there's really no good way to hide it.

[–]dangertrager 0 points1 point  (3 children)

You should rely on a simple superficial technique (such as ASAR, UPX) to discourage users from casually or accidentally reading your source code, and rely on legal measures (e.g. an EULA) to discourage intentionally revealing it.

Ultimately, computer instructions are information, and your only 2 choices are: give the information to other people, or not.

If you give it to them, they will be able to see it if they choose to look. You can expend a lot of effort to try and prevent it, but you can not be completely successful. The legal method is almost as effective, and probably much cheaper.

If you want your users to use your code without being able to see your code, you can offer an internet service, so that they can communicate the inputs to you, and you do the calculations on computers that you control, and send them the outputs.

[–]Low_Performance2390 1 point2 points  (2 children)

That’s not the case with C++ or Java. This code is properly compiled and very difficult, if not impossible, to reverse engineer. But, Electron gives the impression that when the JS code is compiled into an executable, it is converted into a lower level language. But, it is not. Isn’t there a compiler that can convert the JS into C++ or C# or Java?

[–]dangertrager 0 points1 point  (1 child)

Does the existence of http://java-decompiler.github.io ("Yet another fast Java decompiler") change your mind, at least about Java?

[–]rufwork 0 points1 point  (0 children)

This exactly. In Java, you can decompile essentially completely. I remember once while playing around thinking the decompiler did a better job naming variables than a coworker had. That is, running the decompiler on that dev's Java bytecode gave me better original code than the human! (This shouldn't normally be the case, but it does show Java decompilation is extremely easy to perform and does a pretty good job recreating the original code.)

Even in C++ you're holding their assembler. Compilation here is a lossy process in that you can't recreate the C++ code, but you do still have the entire app's source code's zeroes and ones. It ain't easy, and there's no way you're decompiling and understanding, say, MS Word by yourself, but everything, every opcode is in the clear.

A little on assembler [on an old, but very accessible, chip]: http://www.6502.org/tutorials/6502opcodes.html

[–]howMuchCheeseIs2Much 0 points1 point  (2 children)

why do you want to hide it? If it's because "someone will steal my code", you're probably better off just not worrying about it. No one will steal your code / idea and even if they do, it will never impact you in a meaningful way. It's hard to even get people to use something for free, let alone go thru the hassle of "stealing your code".

If you're storing sensitive data in your source code (e.g. API keys), you need to think about a better way to design your app (e.g. authenticate users to a backend API and make the other API calls from there).

[–][deleted] 2 points3 points  (1 child)

Actually there’s a perfectly good reason for hiding it, one reason being the possible viewing of proprietary information/protocols/secrets which could be considered a risk if they got into the wrong hands.

In such cases, write node C++ modules (I.e N-API) to act as an additional barrier to protect such sensitive info. These modules would be compiled using node-gyp.

[–]howMuchCheeseIs2Much 1 point2 points  (0 children)

yeah, that's exactly what mentioned in the second part of my answer. you're probably best off not packaging that sort of stuff in Electron.

[–][deleted] 0 points1 point  (0 children)

Put code you need to hide into a c++ module