Javascript obfuscation facts:
- No one can offer a 100% crack free javascript obfuscation. This means that with time and knowledge every obfuscation can be "undone".
- Minify != obfuscation: When you minify your objective is: reduce code size. Minified code looks completly different and its much more complex to read (hint:jsbeautifier.com). Obfucation has a completly different objective: to protect the code. The transformations used try to protect Obfuscated code from debugging and eavesdropping. Obfuscation can even produce a even bigger version of the original code which is completely contrary to the objectives of minification.
- Obfuscation != encryption - This one is obvious but its common mistake people make.
- Obfuscation should make debugging much much harder, its one of it objectives. So if it is done correctly you can expect to loose a lot of time trying to debug obfuscated code.That said, if it is done correctly the introduction of new errors is a rare issue and you can easily find if it is an obfuscation error by temporarily replacing the code with non obfuscated code.
- Obfuscation is NOT a waste of time - Its a tool. If used correctly you can make others waste lots of time ;)
Javascript obfuscation fiction: ( I will skip this section ;) )
Answer to Q2 - Sugested obfuscation tools:
- For an extensive list of javascript obfuscator: malwareguru.org. My personal choice is jscrambler.com.
Answer to Q3 - experiences of using obfuscated code
- To date no new bugs introduced by obfuscation
- Much better client retention. They must come to the source to get the source;)
- Occasional false positives reported by some anti-virus tools. Can be tested before deploying any new code using a tool like Virustotal.com
