JavaScript is the standard language for building powerful Web applications. A drawback of its usage is the ability for others to easily view JavaScript code via the View Source Web browser option. While this isn’t always a concern, there are times when it is better to keep prying eyes away. Thankfully, there are ways to accomplish this via code obfuscation and tools that make it easy to use.

Obfuscation primer

Simply put, the word obfuscation means to make something less clear and harder to understand. Obfuscation involves converting source code into equivalent code that is difficult to reverse engineer. An obfuscator is a tool that makes this possible. Obfuscation does not make it impossible to reverse engineer, but it presents many roadblocks.

Obfuscation is accomplished using various techniques. The following list provides an overview of these techniques:

  • Control: Alters the way the code flows, which may include altering: how statements are grouped together, the order in which code is executed, or control by inserting extraneous code.
  • Layout: The various elements of code layout may be altered. This includes variable names that may be renamed to hide their purpose; removing or rewording comments; and altering code formatting that affects code readability. In addition, unused code may be removed.
  • Data: The various aspects of data may be altered to affect code readability. This includes changing the order of data elements like arrays; changing data structures like splitting arrays into multiple arrays; altering how stored data is interpreted; or changing the scope of variables. Another way to hide variables is through encryption.

A key feature of obfuscation is deobfuscation, which means making it hard to reverse the process. That is, you want to make it difficult to reverse the obfuscation process to discover the original code. With that in mind, obfuscation tools attempt to thwart common deobfuscation techniques and take advantage of known deobfuscation weaknesses.

It is worth noting that obfuscation is not restricted to code; it can be used to hide data as well, but this article focuses on source code. One caveat of obfuscation is the possibility of optimizing your code since extraneous code is often removed. With a basic understanding of the topic, let’s turn our attention to the tools available putting obfuscation in motion.

Obfuscator tools

A simple Google search yields an overwhelming number of results when trying to locate obfuscation tools. The following list provides a sampling of these tools:

  • Jasob: A commercial tool that supports JavaScript and CSS obfuscation. A nice feature of this tool is its ability to read JavaScript and CSS source from a variety of sources including PHP, ASP.NET, and JSP files. Jasob promises to optimize and protect your code.
  • Javascript Obfuscator: This tool allows you to work with HTML or JavaScript source files. It includes various options for defining how obfuscation is handled. This includes removing whitespace and comments, along with defining how variables may be renamed.
  • ObfuscateJS: A command line tool for applying obfuscation techniques to your code. It allows you to compress code by removing whitespace and comments along with renaming variables.
  • Stunnix JavaScript Obfuscator: A Web-based tool that works with both client- and server-based JavaScript. It provides encryption and compression features as well.
  • Thicket Obfuscator: This tool promises to optimize while securing your code. It allows you to process multiple files at once and map variable names to their counterparts in the obfuscated code, along with defining rules for dealing with comments.

The difference with these tools is the obfuscation techniques they provide. At the most basic level, all the tools allow you to compress code by removing whitespace and comments. The next level is renaming variables, but where do the tools go from there? This is where the tools differentiate themselves.

I like the Jasob tool, but there doesn’t seem to be a consensus within the community about which tool is best. In the end, you utilize what best meets your needs.

In action

Obfuscation doesn’t always have to be a complicated process. I’ll use this simple JavaScript function as the source for an obfuscation example:

// A test function

function test( ) {


// Declare variable to display


var b="Test";


// Display variable in window


alert(b);

}

Now, running this code through a simple obfuscation can yield the following line of code:

function test(){var atv="Test";alert(atv);}

In this case, the obfuscation process included the removal of whitespace and comments. In addition, the variable name was altered. This simple example provides a sampling of what may happen to more robust code.

Protect intellectual property

A lot of hard work goes into developing JavaScript code that meets your needs. While the Web promotes the sharing of such code, there are times when you or a client may not want to share their JavaScript code. This may be due to the sensitive nature of data within the code, proprietary calculations, or any other scenario.

JavaScript obfuscation provides a vehicle for keeping your source code from prying eyes. Of course, a rogue developer may invest a lot of time and money to deobfuscate your code, but the key is not making it simple.

Do you worry about another developer stealing your source code? Do you utilize obfuscation to protect your code? If so, what tools do you prefer? Share your thoughts with the Web Developer community by posting to the article discussion.

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.

—————————————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!