Way to protect JavaScript Code?

Report · Jun 06, 2017

HI,

Is the only option for protecting code to obfuscate the javascript code? For example, is there such a thing as requiring the user to enter a key before being able to execute the javascript code on their computer like there is for TurboTax? Forgive me if this is a novice question. Any help will be appreciated.

Thanks.

S

Report · Jun 07, 2017

There is no realistic way to protect it. Even if Acrobat were to ask for a password or something, there is other PDF software than would ignore it. Obfuscation is no protection at all, except against the most casual peek, since what software can obfuscate, other software can "un-obfuscate". This basically means that all business sensitive or personally sensitive logic has to move server side where - since it is the main vector of hacker attack - it must now be written by an experienced professional up to date with the latest hacking techniques.

Report · Jun 07, 2017

It's often faster to rewrite a script from scratch than to un-obfuscate an existing one.

PDF Acrobatic, InDesigner & Photoshoptographer

Report · Jun 07, 2017

Hi,

What I am hearing is that it is futile to try to protect javascript code. Here is some more info.

The javascript I am trying to protect is within an action wizard within Adobe Acrobat. I realize a user can just click Edit and see the code. Nevertheless, I still want some level of protection even if it mimics a closed door that someone just has to open by turning the knob. Here are two ideas that I had:

1) When the user clicks Edit for action wizard (0606aBatch Labeling Application_1.8SCS) b/c they are trying to modify the code, can there be a password prompt box which opens up?

2) If (1) is not possible, can I create code which asks the user to enter a password when they run the action wizard. How do I go about this? I realize they could just go to Edit and see the code anyway but I am guessing most of my users would not poke around and do this and I guess that will have to be good enough.

Thanks.

S

Report · Jun 07, 2017

1) No.

2) Yes, but unless you don't want it to ask them for the password for each file that is being processed it gets tricky.

Basically they will only need to enter the password once, and until the application is closed anyone would be able to run it as many times as they wished after that.

Report · Jun 07, 2017

A user can simple export the action and look at the exported file.

Report · Jun 07, 2017

yeah, good point.

Report · Jun 07, 2017

What does your Action do that is so secretive, anyway?

Report · Jun 07, 2017

It's not necessarily about being secretive. I just don't want the users to mess up the code and distribute to others. I need to make sure all users are using the appropriate version so the output is all the same.

Report · Jun 07, 2017

The margins, templates, etc. are procedure specific and I can only guarantee this if the user does not mess with the code.

Report · Jun 07, 2017

The margins, templates, etc. are procedure specific and I can only guarantee this if the user does not mess with the code.

Report · Jun 07, 2017

The only thing you can do is minify and "uglify" the JavaScript so that it's difficult (not impossible) to understand what it's doing. But users will always be able to share the exported XML. If you're looking to commercialize Actions... don't bother.

UglifyJS: Online JavaScript minifier

Report · Jun 07, 2017

Is using the minifier similar to obfuscating? Thx for the info.

Report · Jun 07, 2017

No, it makes the code appear to be one line and does not change the variable names.

One can also make much of the code folder level functions so the user may see the call but not the detailed code. This would also require installing the folder level scripts on each users system. But if the user knows how to use the JavaScript console, the code could become visible. I would use a combination of all the suggestions. But this may also make maintaining the code more difficult.

Report · Jun 07, 2017

There are minifiers that do change the variable name. Minifying can be a method of obfuscation you just have to pick the right one.

Report · Jun 07, 2017

You should try this: http://www.javascriptobfuscator.com/

PDF Acrobatic, InDesigner & Photoshoptographer

Report · Jun 07, 2017

Yeah - that's a good one. I use CodeKit and it has a minifier/uglifier in it.

Report · Nov 29, 2017

Hi Joel.

I already use CodeKit and Atom, but I cant protect my js.
is there a way to do little obfuscation with my tools?

Report · Nov 29, 2017

You can't protect your JS... period... if they want it, they'll get it. By adding password security to the file to prevent modification you can prevent the edit dialogs from opening but that will only keep honest people honest. Because JavaScript is interpreted and because Acrobat has a debugger, and because I know what I'm doing, an obfuscator will only slow me down... a little... it won't stop me from getting something that I want.

I give away a lot of high value IP as JavaScript because the cost of protecting it and then pursuing violators is higher than the revenue I get from having it publicly available and building my reputation as an expert. I've explored obfuscation off and on every few years for decades now and I always end up in the same place... I don't bother.

Way to protect JavaScript Code?

li.media.uploader-dialog.title