Titanium Community Questions & Answer Archive

We felt that 6+ years of knowledge should not die so this is the Titanium Community Questions & Answer Archive

is it possible to protect my code?

i only started using titanium a few hours ago. I want to use it to develop a cross platform desktop appliction. So I created a test application, packaged it, and installed it on my machine. When I browsed the installation location I found in the 'resources' folder all my test files easily accessible.
So I am wondering is it possible to develop an application using titanium that actually hides my source code from people trying to steal it or imitate it. I mean if I wanna make money from my app shouldn't my source code be at least protected from stealing. This is a huge issue if I am not developing an open source application.

Many thanks.

— asked April 18th 2010 by Luay Kanaan
  • code
  • hide
  • money
  • protection
  • source

11 Answers

  • Accepted Answer

    This may be referring to the Titanium Desktop product, but in case someone comes across this thread in the context of Titanium Mobile…the JavaScript resources inside your Titanium application are encrypted to protect against prying eyes.

    — answered May 31st 2013 by Ingo Muschenetz
    • unpackaged commonjs modules are NOT encrypted as of 3.1.0

      — commented June 1st 2013 by Stephen Feather
    • I'll behave regarding other information, but if you have a pre 3.x app in the wild, you need to be rebuilding and resubmitting them.

      — commented June 1st 2013 by Stephen Feather
    • Is it possible to encrypt the resources in simulator-builds also?

      At the moment it seems to be unencrypted, which keeps me from using a service like app.io, because the uploaded package contains my complete source code.

      — commented January 26th 2014 by Joe Caff
  • Obfuscation is not enough here. We need the ability to either hide source code in a binary object that can't easily be read, or the ability to encrypt source code on disk and have the app decrypt it as it reads it in.

    We're about to roll our own solution, but have asked the Titanium development team for this a couple of times already.

    Agreed – this is a deal-breaker for any serious commercial application.

    — answered April 18th 2010 by Mark Burggraf
  • They need some way of byte-code compilation at least at deployment time. Byte-codes make the executable even faster than interpreting texts.

    — answered April 19th 2010 by Ricardo Araujo
  • What do any of you mean by "serious commercial application"? You're not going to write PhotoShop or Oracle in JavaScript and HTML.

    As long as things are being done through a WebKit engine on the desktop, a dedicated enough hacker will be able to look at your code.

    Here's a couple of examples of obfuscation…


    <script type="text/javascript">
    counter = 0;
    document.write("this is a test<br><br>");
      for(var i  = 0; i < 10; i++){
        counter += i;
        document.write("counter is " + counter + "<br><br>";
    // this is a needless comment

    OBFUSCATED CODE USING: http://www.virtualpromote.com/tools/javascript-encrypt/

    var enkripsi="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2Camwlvgp'02'1F'022'1@'2Cfmawoglv,upkvg'0:'00vjkq'02kq'02c'02vgqv'1A`p'1G'1A`p'1G'00'0;'1@'2C'02'02dmp'0:tcp'02k'02'02'1F'022'1@'02k'02'1A'0232'1@'02k))'0;'5@'2C'02'02'02'02amwlvgp'02)'1F'02k'1@'2C'02'02'02'02fmawoglv,upkvg'0:'00amwlvgp'02kq'02'00'02)'02amwlvgp'02)'02'00'1A`p'1G'1A`p'1G'00'1@'2C'02'02'02'5F'2C--'02vjkq'02kq'02c'02lggfngqq'02amooglv'2C'1A-qapkrv'1G"; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2) }teksasli=unescape(teks);document.write(teksasli);

    OBFUSCATED CODE USING: http://dean.edwards.name/packer/

    eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('<7 g="f/b">3=0;4.5("c 6 a d<1><1>");e(9 2=0;2<8;2++){3+=2;4.5("3 6 "+3+"<1><1>"}</7>',17,17,'|br|i|counter|document|write|is|script|10|var||javascript|this|test|for|text|type'.split('|'),0,{}))
    — answered April 19th 2010 by Greg Bulmash
  • I do not know of any way to make your files inaccessible. However, something you can do is to obfuscate them before packaging.

    — answered April 18th 2010 by Max Mullen
  • many thanks for your answer.

    If I do obfuscate them, would the compiler still be able to understand the code and compile the application correctly?


    — answered April 18th 2010 by Luay Kanaan
  • Even if you used Flash or Flex, there are decompilers that can give someone looking to steal or imitate your code a good deal of your code and solid clues to the rest of it. If your algorithms are so valuable, you may want to go the extra mile and program in something like C, so you can compile them to machine code.

    As for obfuscation, it can be "decompiled" too. Anyone claiming they have a form of obfuscation that can't be defeated will sell you a bridge too.

    What your better JavaScript obfuscators will do is pull out most or all of your meaningful whitespace, all your comments, condense all your meaningful variable and function names to stuff like "s1" and "bn", and do other packing on it, so that when it's "decompiled", your snoopers have a workable program, but it's like trying to read a book written in a doctor's handwriting.

    The other downside to obfuscation is speed. You're basically ciphering your code, and every time the app loads it, the app has execute a function to decipher the code before it can run the code. On most machines, for most purposes, that's not a big deal. It adds negligible processing overhead. But if your app is processor intensive and you're trying to squeeze speed out of it, then you're going to be trading off obfuscation for performance.

    Quite often, a javascript compressor will do quite a good job of obfuscating your javascript code and giving you some small performance boosts to make up for it.

    Two open source compressors you can look at are:

    Yahoo YUI compressor:


    — answered April 18th 2010 by Greg Bulmash
  • Well, today is the first day I ever hear of Titanium Appcelerator. I've downloaded it, created my first test app which I've installed on another PC, and guess what, code protection was one of the first things I looked at too! (along with checking file sizes, memory, overhead etc)

    I must say that I'm impressed with the tool, it is much better but it does remind me of the old PHP compiler project RoadSend, which had a similar architecture and similar issues, again code protection was one of the first things I looked at with this tool too.

    If the development tool doesn't provide code protection itself, then I guess it is down to you as the developer to implement your own code protection, which should be feasible to a certain extent. As with any code protection, nothing is fool proof or hacker proof, but you can do things to make it more difficult for some people.

    Obfuscation has already been mentioned. We used this when we developed mobile java games for J2ME phones several years ago. Aside from obfuscation on purpose, there are also other advanced javascript techniques to look into, e.g. just have a look at the code behind a google results page nowadays to get an idea of how complex, and difficult to follow, things can get.

    If code protection is important for a project, I'd probably go one step further and investigate the idea of loading code at runtime from some other encrypted file format, somewhere it isn't obvious to look for code e.g. not in a html or js file, perhaps encrypt your code into some proprietary data file you then load in and decrypt at runtime! Again not completely hacker proof, merely making it more difficult to hack.

    — answered July 13th 2010 by Paul Ireland
    • I should add that with our original J2ME game, obfuscation was vital in order to get the whole package weighing in at under 32K. But with appcelerator bundled desktop installs understandably starting at around 18MB, javascript code obfuscation for the sole purpose of reducing code size isn't really an issue.

      — commented July 13th 2010 by Paul Ireland
    • I must say that I'm impressed with the tool, it is much better but it does remind me of the old PHP compiler project RoadSend, which had a similar architecture and similar issues, again code protection was one of the first things I looked at with this tool too.

      Strike that. It wasn't RoadSend I was thinking of in this particular case, it was Wapache.

      — commented July 14th 2010 by Paul Ireland
  • Not completelly, but there's a lot of free tools to do it … try Javascript2img and tell me what you thing about …

    — answered January 19th 2015 by Sergi Sole
  • Try Javascript2img to obfuscate your javascript and please, tell me if do what you expect …

    — answered January 19th 2015 by Sergi Sole
  • I agree with Mark. This is a deal-breaker for any erious commercial application.

    I would like to also comment, if I may, on what Greg said. If I want to go the extra mile and code in C, why not just do it in Java then and not use Titanium at all. I would just use eclipse or Netbeans.

    The whole idea of using Titanium, as is so aptly stated on the home page, is to use your existing knowledge to bla bla bla… And my point is the following: trying to find a solution for this problem would make us use desktop based solutions at which point you wonder why even bother using Titanium at all.

    Unless, of course, i'm missing something here.

    — answered April 19th 2010 by Luay Kanaan
    1 Comment
    • Luay,

      If you do it in Java, then your binary objects can be decompiled the same way obfuscated Javascript can or a Flash SWF can. Java doesn't compile to machine code like C, but to an intermediary byte code like Flash and C#/Mono, then they get run by a virtual machine that compiles them from byte code.

      Byte code is more efficient than human-readable code like JavaScript, but it's FAR from bullet proof.

      Furthermore, since the code for Titanium is open source, any sort of code encryption can be reverse engineered.

      It's sort of like protecting your car. You can lock it, put a bar on the steering wheel, and get a fancy alarm. This will ward off the joy riders and casual criminals. But if a true pro wants it, he can get it.

      The question is now the protection options available, but how much time and energy you feel is appropriate to spend on making your code hard to read.

      — commented June 8th 2010 by Greg Bulmash
The ownership of individual contributions to this community generated content is retained by the authors of their contributions.
All trademarks remain the property of the respective owner.