Is obfuscation the best answer [duplicate]

Question

This question already has answers here:

Closed 10 years ago.

Possible Duplicates:
How effective is obfuscation?
Protect ASP.NET Source code
(Why) should I use obfuscation?

Is obfuscation the best answer for protecting our code ?

*Specially in Web Projects when you want to deliver your web projects as libraries of code to your customer ( the person who ordered ) *

---

Edited

At first my priority is Server-Side Code and second Client-Side but the main goal is when you want to deliver a complete web project and you made every piece of your code as components and dlls now how effective can you protect them and doesn't allow others to make your code back from them .

---

Edited

The problem is that I want to protect the code that I'm written to a company that they ordered , now all my code are inside some DLLs , Now they can reverse engineer that and get my code , I want to prevent them from doing so , Is there anyway to do so or not ?

I think that is a unique question , And I didn't ask for what obfuscation is nor for tools of doing this activity , further than that I think this is apart from Client-Server Security

Sorry if my question wasn't clear at first , but if that is really a case to be deleted , no problem for me

---

Also

Also I wanted to have a comparison look at this problem and the solutions , because I think obfuscation wasn't the only possible solution at this , I think we can have maybe some logical sort of workarounds about this problem

Answer 1

Maybe not the best. If you are really ambitious, you can write your own web server (plugin).

But is it worth the effort?

Software is similar to a bike in the Netherlands, there is no known way of protection that is 100% safe. You use either a better protection than the other bikes (thieves are lazy). Or you must obfuscate the bike so they won't take it.

Another way to increase the level of protection is to use custom made ActiveX code to store mission critical algorithms. Of course, they can be reverse engineered, but javascript is easier.

Answer 2

What exactly are you trying to protect your code from?

Does your client-side code contain valuable business logic?

If not: you shouldn't bother obfuscating something that doesn't have much value. Personally I think clientside code theft is a something that people are far too concerned about. 99% of web apps don't really have anything special in terms of implementation on the client side. What you need to worry about more is someone ripping off the idea or visual look, which you obviously can't obfuscate.

If it does: you need to consider refactoring that logic out of the client side, as even with heavy obfuscation, a determined party will always be able to untangle it relatively easily. The code that adds real value to your app should ideally be running on your servers where it's considerably more difficult to get access to.

Even if people stealing your html markup or javascript was a something to worry about (and it probably isn't), obfuscation doesn't really solve the problem. In my opinion it is a waste of effort and money.

Answer 3

Hosting a critical function as a web service is probably the most sure way to protect it. It keeps the code out of the user's hands entirely. But then you're stuck hosting a service, and your users have to be on line to use your functionality.

Obfuscators help by hiding useful names and replacing control flow with weird but logically equivalent alternatives. They might thwart an amateur, but they'll only slow down a skilled reverse engineer for a few minutes, and they won't stop someone who is determined to penetrate your secrets.

Answer 4

I you really want to protect your code, you should write native code using a native code compiler (C++, Delphi). This still does not guarantee that your code is 100% safe because any experience developer can read assembler and essentially disassemble the native code program.

A determined hacker will always find a way to get to what they want.

The best we can do is to make it hard or painful for the would-be hacker to get at our code and the following options can help us:

1. Customize the CLR engine
2. Run an obfuscation tool over your code and use name and control flow obfuscation and string encryption
3. Make the application a Web-based application where all your proprietary code sits on a server somewhere
4. Watermark your code using your own custom techniques to "throw off" the would-be hacker
5. Implement techniques to prevent debugging (this is a very advanced topic!)

I really like a comment made by one of the head developers of the .NET framework where he said that he does not feel it's really the fact that others can get at our code that should be a concern to us, but rather, we should concern ourselves with the level of support we provide with our products.

So if we provide a good support base, it does not matter what the hackers do with our code, because the clients will trust us and our ability to support them using our product and not some cheap hacker-hacked program.

Answer 5

NO, obfuscation is not the best way to protect your code.

The tool you need to use is "copyright".

There is no (technological) way you can protect you code from someone determined enough (provided they have access to the binaries / scripts).

What you can do is prevent them from legally modifying/distributing your code.

Answer 6

The normal server-side code in Web projects should under no circumstances be visible to the outside world. So there is no point in obfuscating the code.

Besides that two minior points:

• Javascript code is visible to the user and can be obfuscated. Minimizing javascript to save bandwidth is recommended anyway. Minimizing js also obfuscates the code.

• Also important is that on production system the configuration setting customErrors should be set to RemoteOnly or On to avoid showing a stacktrace with to much code details.

Answer 7

If your client side code has any broad value to others, it will get reverse engineered regardless of any obfuscation.

The reality is that it's likely not going to be broadly useful to many and there is a lot of other code out there to look at so probably not worth doing more than minifying the code which is plenty of obfuscation and if your code is large, it will improve download speed.

Have you considered the alternative? That it's a good thing to give somethings back to the community? I'm sure you've looked at the code of more than one site, no?