Code Protection


#1

I’m working on OS X, so basically an atom-shell application is kinda open source (right click on application -> Show Package Contents). That’s not a problem. If a user wants to view the code, she’s welcome. But I want to prevent changes on the code base. How can I do that? Basically it’d be enough to ensure, that one specific file is not being modified.


Can an asar archives be signed by a license key and/or success with Enclose.js?
#2

Did you mean ‘prevent’ here?


#3

Sorry there hasn’t been any replies on this one. Unfortunately, the atom-shell crowd isn’t very active on here, yet.

But maybe @zcbenz can help out with this question. He’d know.


#4

I’m not much familiar with the way OS X handles applications content, but isn’t it possible to chmod the files to readonly before packaging the app?


#5

OS X applications aren’t files, they’re actually folders. Of course they could be protected with chmod, but nothing is holding the user back from chmod’ing it and then edit it. “Normal” users won’t try to change any application files, but the ones who could take interest in trying to change it will also be familiar with the possibility of gaining ownership of the files.

I searched and found node-webkit’s nwsnapshot utility. It allows to make a small snapshot of v8 binary code. But I wasn’t able to find a similar solution for atom-shell.


#6

As one of the big names in massively-multiplayer game design, Raph Koster, said in one of his laws of online world game design:

The client is in the hands of the enemy

“Client” as in client/server. There are things you can do to make it harder for someone to alter the code, but there is nothing you can do to prevent someone completely from altering the code. It is their computer and no matter what scheme you come up with like digital signing, obfuscation, encryption or what have you … they can all be circumvented because ultimately you have to assume that the user has administrator rights on their own computer. At best you could hope to detect if the code has been changed … but even then the detection code could be spoofed.


Can an asar archives be signed by a license key and/or success with Enclose.js?
Where to store securely the sqlite database file
MySQL secure connection
Electron-packager Web solution securiy
#7

Ultimately, all you should do as a developer / application owner, is to deter the user from altering the core code (by voiding any warranty or support for example), or simply adding a disclaimer to the effect that meddling is at the user’s own risk.


#8

Thanks leedohm, especially for providing the link!
Thanks batjko, I like the idea with voiding any warranty/support and the disclaimer.

A combination of your ideas should be working.


#9

You could also package minify / compress your source; this would really only act as a minor deterrent though.