Obfuscation, minification… When is it worth doing?

Well, it all comes down to one simple question: Why?


Minification could really be a good thing. When sending scripts over a network, like through the http, it could be very useful. By using minification you can make a script or a document - which does not have to be read by a human - a lot smaller. The computer will be able to read it just as well while the time it takes for the client to get the file will have a - sometimes - noticeable increase in download speed.

But can minification be used to make a script more secure?
In essence, no. Not at all.
Making something harder to read might stop the most adept hackers from reading the code, but in the end, its just as open as none-minified code.


Obfuscation is another story…
If you don’t know what obfuscation is, its basically when the code is rewritten by a program to be as unreadable as possible.
Obfuscating a script sent to a client is, in a security perspective, a little bit less useful than minification.
The size could be decreased I guess, but does it increase the security?
Not really. Making code harder to read will not stop someone who really want to crack the script, or the binary.
There is a small security win, but “security by obscurity” is not a good way to go.

But my secrets!

Some people might at this point ask: what can I do to keep the secrets in my application secure then?… Nothing. Nothing at all. And that’s why you should NEVER EVER store anything on the client that you do not want the client to have.

If you give a client a binary, pretend that the client can read it like an open book.
Never pretend that a client can’t access the data in the binary, because if they really want, they can.

So is it worth it?

The answer is still “it could be”…
Minification, yes, its worth it, making scripts smaller, making load times on the web better is always great.
But obfuscation… Not really.

My general rule for obfuscation as security is:

If you put more time on hiding code than writing it, you are doing something very very wrong.

In my honest opinion, its not really worth wasting time on it at all. All the time you put on obfuscation is wasted the moment that one cracker have cracked it.

What to do?!

There are ways to store secrets, there are ways to make your code “secure”. The big problem is that if you want to do this, you can’t do it on the client.
The client is never secure and is always to be seen as compromised.
Any secrets, any data manipulation that you don’t want the user to have access to should be done on a secure server.
A server can be hacked, of course, but it’s a lot easier (and safe) to crack an application than a server!

A good pattern to consider is to use the client mainly as a UI.
The user has access to a layer of the program that they integrate with, all “important” stuff is done on the server.
That way your code is safe(er) with you.

End words

Obfuscate your code as much as you wish. It’s not a hard thing to do, and making a potential hacker annoyed with a some extra work could be pleasing.
But never pretend that it makes the application more secure from hackers. Because if you do, you are very very wrong.