is it possible to protect my code?
i only started using titanium a few hours ago. I want to use it to develop a cross platform desktop appliction. So I created a test application, packaged it, and installed it on my machine. When I browsed the installation location I found in the 'resources' folder all my test files easily accessible.
So I am wondering is it possible to develop an application using titanium that actually hides my source code from people trying to steal it or imitate it. I mean if I wanna make money from my app shouldn't my source code be at least protected from stealing. This is a huge issue if I am not developing an open source application.
Many thanks.
11 Answers
-
Accepted Answer
This may be referring to the Titanium Desktop product, but in case someone comes across this thread in the context of Titanium Mobile…the JavaScript resources inside your Titanium application are encrypted to protect against prying eyes.
-
Obfuscation is not enough here. We need the ability to either hide source code in a binary object that can't easily be read, or the ability to encrypt source code on disk and have the app decrypt it as it reads it in.
We're about to roll our own solution, but have asked the Titanium development team for this a couple of times already.
Agreed – this is a deal-breaker for any serious commercial application.
-
They need some way of byte-code compilation at least at deployment time. Byte-codes make the executable even faster than interpreting texts.
-
What do any of you mean by "serious commercial application"? You're not going to write PhotoShop or Oracle in JavaScript and HTML.
As long as things are being done through a WebKit engine on the desktop, a dedicated enough hacker will be able to look at your code.
Here's a couple of examples of obfuscation…
ORIGINAL CODE
<script type="text/javascript"> counter = 0; document.write("this is a test<br><br>"); for(var i = 0; i < 10; i++){ counter += i; document.write("counter is " + counter + "<br><br>"; } // this is a needless comment </script>
OBFUSCATED CODE USING: http://www.virtualpromote.com/tools/javascript-encrypt/
var enkripsi="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2Camwlvgp'02'1F'022'1@'2Cfmawoglv,upkvg'0:'00vjkq'02kq'02c'02vgqv'1A`p'1G'1A`p'1G'00'0;'1@'2C'02'02dmp'0:tcp'02k'02'02'1F'022'1@'02k'02'1A'0232'1@'02k))'0;'5@'2C'02'02'02'02amwlvgp'02)'1F'02k'1@'2C'02'02'02'02fmawoglv,upkvg'0:'00amwlvgp'02kq'02'00'02)'02amwlvgp'02)'02'00'1A`p'1G'1A`p'1G'00'1@'2C'02'02'02'5F'2C--'02vjkq'02kq'02c'02lggfngqq'02amooglv'2C'1A-qapkrv'1G"; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2) }teksasli=unescape(teks);document.write(teksasli);
OBFUSCATED CODE USING: http://dean.edwards.name/packer/
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('<7 g="f/b">3=0;4.5("c 6 a d<1><1>");e(9 2=0;2<8;2++){3+=2;4.5("3 6 "+3+"<1><1>"}</7>',17,17,'|br|i|counter|document|write|is|script|10|var||javascript|this|test|for|text|type'.split('|'),0,{}))
-
I do not know of any way to make your files inaccessible. However, something you can do is to obfuscate them before packaging.
-
many thanks for your answer.
If I do obfuscate them, would the compiler still be able to understand the code and compile the application correctly?
Thanks
-
Even if you used Flash or Flex, there are decompilers that can give someone looking to steal or imitate your code a good deal of your code and solid clues to the rest of it. If your algorithms are so valuable, you may want to go the extra mile and program in something like C, so you can compile them to machine code.
As for obfuscation, it can be "decompiled" too. Anyone claiming they have a form of obfuscation that can't be defeated will sell you a bridge too.
What your better JavaScript obfuscators will do is pull out most or all of your meaningful whitespace, all your comments, condense all your meaningful variable and function names to stuff like "s1" and "bn", and do other packing on it, so that when it's "decompiled", your snoopers have a workable program, but it's like trying to read a book written in a doctor's handwriting.
The other downside to obfuscation is speed. You're basically ciphering your code, and every time the app loads it, the app has execute a function to decipher the code before it can run the code. On most machines, for most purposes, that's not a big deal. It adds negligible processing overhead. But if your app is processor intensive and you're trying to squeeze speed out of it, then you're going to be trading off obfuscation for performance.
Quite often, a javascript compressor will do quite a good job of obfuscating your javascript code and giving you some small performance boosts to make up for it.
Two open source compressors you can look at are:
Yahoo YUI compressor:
http://developer.yahoo.com/yui/compressor/Packer:
http://dean.edwards.name/packer/ -
Well, today is the first day I ever hear of Titanium Appcelerator. I've downloaded it, created my first test app which I've installed on another PC, and guess what, code protection was one of the first things I looked at too! (along with checking file sizes, memory, overhead etc)
I must say that I'm impressed with the tool, it is much better but it does remind me of the old PHP compiler project RoadSend, which had a similar architecture and similar issues, again code protection was one of the first things I looked at with this tool too.
If the development tool doesn't provide code protection itself, then I guess it is down to you as the developer to implement your own code protection, which should be feasible to a certain extent. As with any code protection, nothing is fool proof or hacker proof, but you can do things to make it more difficult for some people.
Obfuscation has already been mentioned. We used this when we developed mobile java games for J2ME phones several years ago. Aside from obfuscation on purpose, there are also other advanced javascript techniques to look into, e.g. just have a look at the code behind a google results page nowadays to get an idea of how complex, and difficult to follow, things can get.
If code protection is important for a project, I'd probably go one step further and investigate the idea of loading code at runtime from some other encrypted file format, somewhere it isn't obvious to look for code e.g. not in a html or js file, perhaps encrypt your code into some proprietary data file you then load in and decrypt at runtime! Again not completely hacker proof, merely making it more difficult to hack.
-
Not completelly, but there's a lot of free tools to do it … try Javascript2img and tell me what you thing about …
-
Try Javascript2img to obfuscate your javascript and please, tell me if do what you expect …
-
I agree with Mark. This is a deal-breaker for any erious commercial application.
I would like to also comment, if I may, on what Greg said. If I want to go the extra mile and code in C, why not just do it in Java then and not use Titanium at all. I would just use eclipse or Netbeans.
The whole idea of using Titanium, as is so aptly stated on the home page, is to use your existing knowledge to bla bla bla… And my point is the following: trying to find a solution for this problem would make us use desktop based solutions at which point you wonder why even bother using Titanium at all.
Unless, of course, i'm missing something here.