问题
I have a chrome extension which stores some user data locally using the chrome.storage API.
So, quoting from the documentation:
Confidential user information should not be stored! The storage area isn't encrypted.
Anyway I would like to encrypt my extension's data before storing it, and I'd like to know: does Google provide a way to do this? And, if not, is there any other way?
回答1:
DISCLAIMER: No effort whatsoever in obfuscating client-side JavaScript will make it secure enough. Solutions like WebAssembly provide better performance and make the code more complex to reverse-engineer, but obviously total security is never going to be available client-side, so the only good and reliable option is to build a secure server-side.
To encrypt your data there's a really useful tool called CryptoJS, which is a good library for encryption/decryption algorithms. Let's say you want to encrypt some data so it can only be accessible with a certain passphrase, then you'll do something like this:
var encrypted = CryptoJS.AES.encrypt("Message", "Secret Passphrase");
var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");
Little problem: it looks clear that if you don't obfuscate your code (making it unreadable) the secret password will be always visible to any user, and obviously useless.
So: encoding your data will not make attackers unable to decode it if you use common algorithms and plain text JavaScript. Therefore, if you want to make your code safer (that is difficult since that JavaScript is stored as plain text in your extension folder), you have to scramble or obfuscate your JS functions using some tools like:
- JavascriptObfuscator
- JSObfuscate
- JScrambler (not free)
- Jasob (not free)
- etc (just search on google)...
Here is an example of the above snippet obfuscated using the tools I linked above (1 time jsobfuscate and 1 time javascriptobfuscator):
var _0x7390=["\x31\x20\x35\x3D\x30\x2E\x33\x2E\x37\x28\x22\x36\x22\x2C\x22\x34\x20\x32\x22\x29\x3B\x31\x20\x38\x3D\x30\x2E\x33\x2E\x39\x28\x35\x2C\x22\x34\x20\x32\x22\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x43\x72\x79\x70\x74\x6F\x4A\x53\x7C\x76\x61\x72\x7C\x50\x61\x73\x73\x70\x68\x72\x61\x73\x65\x7C\x41\x45\x53\x7C\x53\x65\x63\x72\x65\x74\x7C\x65\x6E\x63\x72\x79\x70\x74\x65\x64\x7C\x4D\x65\x73\x73\x61\x67\x65\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x64\x65\x63\x72\x79\x70\x74\x65\x64\x7C\x64\x65\x63\x72\x79\x70\x74","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf4e9x1,_0xf4e9x2,_0xf4e9x3,_0xf4e9x4,_0xf4e9x5,_0xf4e9x6){_0xf4e9x5=function (_0xf4e9x3){return _0xf4e9x3;} ;if(!_0x7390[5][_0x7390[4]](/^/,String)){while(_0xf4e9x3--){_0xf4e9x6[_0xf4e9x3]=_0xf4e9x4[_0xf4e9x3]||_0xf4e9x3;} ;_0xf4e9x4=[function (_0xf4e9x5){return _0xf4e9x6[_0xf4e9x5];} ];_0xf4e9x5=function (){return _0x7390[6];} ;_0xf4e9x3=1;} ;while(_0xf4e9x3--){if(_0xf4e9x4[_0xf4e9x3]){_0xf4e9x1=_0xf4e9x1[_0x7390[4]]( new RegExp(_0x7390[7]+_0xf4e9x5(_0xf4e9x3)+_0x7390[7],_0x7390[8]),_0xf4e9x4[_0xf4e9x3]);} ;} ;return _0xf4e9x1;} (_0x7390[0],10,10,_0x7390[3][_0x7390[2]](_0x7390[1]),0,{}));
It looks clear that this code is impossible to read. If you repeat the obfuscation algorithm several times with different tools then you'll decrease the chance of anyone being able to understand it at first sight, even though that data stored on the client side of a Chrome Extension is never entirely safe, and anyone using a deobfuscator could be able to make your code human readable again and understand it.
Also another tip: do not use common variable names, and make your functions private wrapping them inside some object, so that the data will be harder to access.
来源:https://stackoverflow.com/questions/27826998/chrome-extension-encrypting-data-to-be-stored-in-chrome-storage