How can I secure the source code of my Firefox OS application? - firefox-os

I have an app for Firefox OS, and I would not like to expose any of the source code, even obfuscated source. Is there currently any means to do this? Is this functionality even planned? Also, this app has ALL functionality implemented in the client, so "move the business logic to the server back-end" does not address this issue.

There is no real solution yet, since every web page exposes the JavaScript source code.
Why not trying obfuscate ?

Since JavaScript is executed on the client side, not only in Firefox OS but every other platform too. The possible options are limited to obfuscating with aforementioned transformations or hiding the application logic in server-side code.
You can read more about app source protection from Mozilla official blog here: https://hacks.mozilla.org/2013/12/protecting-your-firefox-os-app-code/
You could write your application logic in C/C++ and protect it by encryption libraries and convert them into JavaScript using, Mozilla’s Emscripten tool which compiles C and C++ to JavaScript: https://github.com/kripken/emscripten/wiki

You're asking "how do I give someone something, and simultaneously take it away?" You can't. This issue hasn't been solved with JS, and neither with native code.

Related

PWA InkCanvas save strokes as svg in javascript

I need to use InkCanvas in my web application using javascript (angular), is it possible to save InkCanvas as a SVG using javascript (or convert InCanvas to canvas)? i see this, but it seems it works for C#, i need a way to do it in javascript!
I think InkCanvas is only supported in Universal Windows Platform (UWP) for Windows10. This is confirmed in this SO post.
You can use Webassembly to run C# code in web browser using some JS helpers. Here is a post explaining the same.
You can try this with the c# code that you are interested in. Compatibility depended. These are relatively new features and only way to know is to try.

Using PNaCl with node.js?

Is there anyway to use PNaCl or just Google Native Client with node.js?
The V8 JavaScript engine can be configured to target NaCl and PNaCl (which node.js uses).
If you're trying to sandbox node.js outside of the browser then you may want to check out the Codius paper.
If you want to use node.js inside a PNaCl/NaCl process inside Chrome then you may want to look at other naclports and nacl_io: in general PNaCl/NaCl support POSIX interfaces but they have to conform to the Web model, for example you need to mount the html5 filesystem before being able to do the usual read/write calls. This should work for a regular web page (using PNaCl) or for a Chrome app or extension.
I recently wrote a few more details pertaining to porting PHP which may be helpful. If you do get it working, please let the naclports folks know, and if something breaks do let them know too!

Embed node.js website in exe

I want to build desktop application that will use node.js and express to "render" the gui in a browser.
Since the client will have access to my application, is there any easy method to embed everything in my exe ?
I don't like the idea of having so many folders in my application folder, this makes it easy for everyone to modify and steal the source code.
The two popular solutions for delivering web-based cross-platform applications are:
NW.js
Electron
I prefer NW.js because it has better backward compatibility, particularly on OS X. They have different feature sets, so you may want to play around with both to see which one meets your needs.

Security considerations when creating a mobile app using PhoneGap

I'm a beginner in creating mobile apps with phonegap. I have some doubts on security aspects, when creating a mobile app with phonegap.
I want to create an app that accesses a Web service, e.g. a REST service created using Jersey. Now, am I correct in thinking that a hacker can easily see the security keys/authentication mechanism used, to authenticate the client (on a mobile app) with the server (where REST API is to be used)?
In general, can a hacker easily access all data being sent by the mobile app (which was created using phonegap)?
Can a hacker disassemble a phonegap app to obtain original code? Wont he get the native code (e.g. Objective C in case of ios)? Or can he decompile even that into original phonegap code (ie html+js)? How do I prevent my code from being decompiled? Is this scenario the same as for most other languages i.e. hackers with powerful PCs can hack into just about any program/software? Is there some way to prevent this from happening?
Allright, first take a deep breath. You are probably not going to like some of my answers but you'll be living with the same issues that we all are.
The best thing to do in this case is to use something like the KeyChain plugin to retrieve your security keys from the native side.
You can take PhoneGap out of the question because it applies to any situation where you send unencrypted data between a client and server. Anyone can easily listen in using a number of tools including Wireshark or Ethereal. If you need to communicate with a sever it should be done on an encrypted, HTTPS or SSL, connection.
First I think you are under the mistaken impression that PhoneGap compiles your HTML/JS code into Obj-C. It does not. If the user uncompresses your app they will be able to read your HTML/JS. Also, they'll be able to decompile your Obj-C code as well. This does not take a powerful PC or even an experienced hacker. Pretty much anyone can do it.
My advice to you is not to worry about it. Put your time into creating a truly great app. The people who will pay for it will pay for it. The folks who decompile it would never buy the app no matter what. The more time you take trying to combat the hackers takes away from the time you could use to make your app greater. Also, most anti-hacking measures just make life harder for your actual users so in fact they are counter productive.
TLDR -
Consider that you are coding a website and all code ( html and js ) will be visible to user with
Crtl+Shift+i as in browsers
Some points for ensuring maximum security
If your using backend then recheck everything coming from the app
All attacks possible on websites (XSS, redicting to malacious webistes , cloning webistes, etc are possible )
All the data sent to the app will finally be available in some js variables / resource files , Since all variables are accessible by hacker so is all the data sent to app EVEN IF YOU ARE USING THE MOST SECURE DATA TRANSMISSION MECHANISMS
As Simon correctly said in his ans , phonegap or cordova does not convert html / js to native code . Html / Js is available as-it-is
Cordova also explicitly mentions this in their official statement
Do not assume that your source code is secure
Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application.
5.Mainly all the techniques which are used by websites to prevent their code from being cloned / easily understood are applicable even here (Mainly it includes converting js code into hard to read format - obfuscating code)
6.Comparing native apps with cordova/phonegap apps native apps , I would say that cordova are easier for hacker only because of lack of awareness between cordova developers who do not take enough measures to secure it and lack of readily available(one click ) mechanisms to directly obfuscate the code vs in android proguard
Sample Cordova App Hacking (NOTE:Phonegap also works in similar way)
I'll show an example to show how easy is it for hacker to hack a cordova app(where developer has taken no efforts in obfuscating the code )
basically we start with unzipping the apk files (apks can be unzipped like zip files )
The contents inside will be similar to this
The source code for cordova apps is present in /assets/www/ folder
As you can see all the contents including any databases that you have packed with the app are visible(see last 2 rows have a db file )
Along with it any other resources are also directly visible (text files/js / html/ audio / video / etc)
All the views / controllers are visible and editable too
Further exploring the contents we find a PaymentController.js file
Opening it we can directly see the js code and other comments
here we note that after user performs payment if it is successful then successCallback is called else cancelCallback is called.
Hacker can simply replace the two functions so that when payment is not successful successCallback is called .
In absence of other checks the hacker has successfully bypassed payment.

Running C# app inside browser as a plugin

I have a small 2D game engine written in C#, using DirectX. Is it possible to somehow run it in a browser as a plugin? Like for example Flash and others, where you go to a site with a game and it will ask you to install a certain plugin and then you can play the game in the browser, with mouse and keyboard input.
I have searched around for hours and I still don't know what I'm looking for. I have so far primarily focused on Internet Explorer, but there are plugins, addons, extensions, etc I don't know what I need really.
Yes I think it is possible.
For example, I have an HTML page which includes an element like this:
<object id="simpleControl1"
classid="http:RenderTextProject5.dll#RenderTextProject.ScrollableControl"
height="300"
width="300">
</object>
The 'classid' attribute value has the following meaning/syntax:
RenderTextProject5.dll is the filename of a compiled .NET assembly
RenderTextProject.ScrollableControl is the qualified name (namespace plus classname) of a class which subclasses System.Windows.Forms.Control
I can then see the control being rendered in the browser.
I'm using IE (IE8, but it used to work with IE6 too), and I have the .NET framework installed on my machine (but I think I needn't have the RenderTextProject5 assembly installed on the client machine).
There may be some other caveats too (e.g. I needed to run in the Intranet security zone).
See Return of the Rich Client: Code Access Security and Distribution Features in .NET Enhance Client-Side Apps.
Look for Silverlight.. It is maybe not exactly what you need but it is a browser plugin capable of running C# code ;)
There is a relatively new plugin called Unity. It is a bit more complex, as it is a dev/3D authoring environment on its own, but uses C# as its language as far as I know. However I don't know if pure 2D programming is possible (well, may be worked around using ortho 3d?).
The basic version is free to download recently, maybe worth a check.
It is possible to run C# applications in a web browser without using plugins. For example, C# applications can be compiled into JavaScript applications using JSIL.

Resources