0

In JavaScript, it seems common for the official release of the code to use only single-character variable and function names (of course, after converting the original code which uses clearer names) in order to make the code more obscure. I've seen people reverse engineering software to find what seems to be the original variable (and maybe even function) names in the binaries. That helps people with debugging and developing their own code snippets to modify the software. However, it can also make it easier for malicious personnel to interpret and make malware for the code.

Is it a good idea to convert all variable and function names to single- (or double-) character names like with JavaScript before compiling to make the binaries more obscure (and I think a bit shorter too), which in turn makes it harder to reverse engineer?

Marcel
  • 3,494
  • 1
  • 18
  • 35
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • This process is called code obfuscation. It's benefits are disputed. However, for JavaScript, the prevalent reason is file size. – Marcel Oct 14 '19 at 05:51
  • This is also a broad question: Please be more specific about the use case or threat model. Are you referring to a specific language too? – Marcel Oct 14 '19 at 05:55
  • 1
    Possible duplicates: https://security.stackexchange.com/questions/107025/is-obfuscation-worth-it, https://security.stackexchange.com/questions/86388/preventing-reverse-engineering-through-obfuscation-and-llvm, https://security.stackexchange.com/questions/219346/does-code-obfuscation-give-any-measurable-security-benefit – Marcel Oct 14 '19 at 06:02
  • If you _do_ decide to obfuscate/compress your code, then you should try to use a ready-made tool to do the job. Doing it _manually_ (as your title/question seem to imply) would almost certainly be a bad idea (something you'd have to do every time you alter the code, and extremely error-prone). – TripeHound Oct 14 '19 at 12:33

1 Answers1

4

Often times what you are seeing with those few-character variables names is JS code that's been minified and packed down to reduce its size, allowing the client to download- sometimes significantly- fewer bytes than if the code was otherwise not minified; the slight obfuscation you are seeing is merely a byproduct and not the main goal of minification. Something like JS Compress can compress code up to 80%.

If you are seeking true obfuscation you could try something like obfuscator.io which can make it harder to decode what is actually going on, though it is important to note that all front-end code obfuscation techniques can be reversed. Obfuscation serves to slow attackers down rather than keeping information secured.

jonroethke
  • 1,006
  • 2
  • 7
  • 21