I have released a text obfuscation service for Javascript, SHINOVI.
SHINOVI (opens new window) is a text obfuscation tool for Javascript 😀
# Why should I use SHINOVI?
Javascript has become an integral part of websites today. There are already a lot of obfuscation tools for Javascript. If you use modern JS frameworks such as Vue or React, or if you use a build tool like Webpack, your source code would be obfuscated automatically. It's not so difficult.
Then, why have I developed such an original obfuscation tool? The reason is that I have not been satisfied for the following two points:
- Even if your source code is well obfuscated, theoretically it can be decoded because Javascript itself should be executable for client-side.
- Many obfuscation tools don't obfuscate string literals.
Because of these reason, I had developed my own CUI tool to obfuscate Javascript codes including string literals, then I released this tool as a new GUI web tool.
# How can you use this?
Originally, SHINOVI is supposed to be used with a build tool like Webpack or a traditional obfuscation tool like webpack-uglifier because it is developed for the above points.
SHINOVI is defferent from tradional obfuscation tools for the following points:
- SHINOVI obfuscates not Javascript code but Javascript string or object data.
- SHINOVI defines constants necessary for the data restoration separately from the restoration itself.
Basically I suppose SHINOVI should be used with an traditional build tool so it makes up for the missing parts with traditional way, and I also think the second point (constants are defined separately) is especially important.
As I wrote above, any obfuscated codes are theoretically decodable, but after decoding a code, it is so hard to extract information if necessary variables are scattered here and there, isn't it?
# Don't be overconfident in obfuscation
Including SHINOVI, as I have mentioned many times, Javascript is executable for client-side, so it can always be endangered by a third party, so sensitive or secret data such as Secret keys or user privacy data should not be put in client-side scripts like Javascript.
In our websites and web services, In addition to tradional obfuscation tools and SHINOVI, we also take other measures. I'd like to write it in an article at another time.