DEV Community

loading...

Discussion on: How to encrypt strings & files in your source code?

Collapse
moopet profile image
Ben Sinclair

Can you think of any examples of where someone would want to do this in the real world?

Collapse
nuculabs_dev profile image
Nucu Labs

Malware authors do this all the time. Quite frustrating

Collapse
bartosz profile image
Bartosz Wójcik Author

Everyone is using encryption, in one form or another. I have seen many, many legit applications with encryption for simple messages, just to hide it from prying eyes. Encryption is used everywhere. To hide configuration settings, to hide database contents, to hide proprietary project formats. Most deployed JavaScript source codes on the web are either obfuscated (with some sort of encryption for strings and variables) or minified.

Thread Thread
moopet profile image
Ben Sinclair

Most deployed Javascript is minified, not obfuscated.
Encryption is used mostly to secure communication between two parties or to restrict who can play your media (like DRM). I can't think of any use case for it in things like hiding configuration settings or database contents. The fact is, if your client-side code has to decrypt something, then the decrypted version exists on the client's computer, rendering the encryption moot.

Thread Thread
bartosz profile image
Bartosz Wójcik Author • Edited

Well Ben you didn't understand the purpose of this extension, it's not meant to replace traditional encryption algorithms like AES but to provide quick help for regular developers to hide simple things from curious users who might want to sniff around your source codes.

Encryption is used everywhere Ben. I did native, web, mobile development and everyone is using some forms of encryption. Communication channels encryption, messages encryption, database encryption (in automotive software for example), executables encryption to prevent cracking of software, configuration files encryption to prevent someone from tampering with the settings (a lot of games is doing that, also for static configurations), secret endpoints encryption, database connection strings encryption in desktop apps, static project files encryption to prevent patching it or easily stealing its content. Plenty of encryption everywhere.

Every decryption code gets executed at some point, no matter if you use AES, external DLL libraries in native apps or my solution.

Collapse
bartosz profile image
Bartosz Wójcik Author • Edited

Most common usage is to hide messages you don't want people to find with a simple text editor or a hex-editor, but you can do more:

  • Quickly encrypt file contents of your own and NOT do it with simple xor encryption (you will have to write an encryptor yourself anyway)
  • Encrypt secret API endpoints (e.g. in Python code that will be compiled to exe format afterward
  • Obfuscate JS strings
  • Encrypt C/C++ strings used in some licensing code, I've seen this countless times ("Your license has expired.", "Serial number is invalid" etc.)
  • Encrypt shellcode strings in Python exploits

This engine is incorporated into a few source code obfuscators too to hide the strings and make it hard for automated tools to deobfuscate it.

Collapse
moopet profile image
Ben Sinclair

Encrypting endpoints sounds like a bad idea to me. It's security through obfuscation, which is defeated by either sniffing the network traffic or running a debugger. If someone's prepared to look through your code to find an API endpoint, they're not going to be put off by that sort of thing, and hiding API endpoints sounds like a recipe for disaster - at the very least it implies that your API is insecure.

"obfuscare js strings" is a weird one. Malware does that, but I can't think of any legitimate reason a programmer would want to do it. Is this mainly a tool pitched at malware authors?

Thread Thread
bartosz profile image
Bartosz Wójcik Author

I have listed a good number of legitimate uses, why you didn't comment on those at all? You don't think there is a legitimate case for encrypting files or messages within your source codes? This tool is mainly dedicated to regular software developers who might need a simple encryption to hide stuff from prying eyes. If you think there is no point in doing that - you have the right to your own opinion.