About HTML encryption confusion, source protection, code security, prevent decompression directly see the source code

has been asked to confuse HTML encryption how to do, in fact, this in the industry is already a lot of people have studied the subject.
Recently in the spare time to organize an article to share to everyone.

What is the purpose of encryption before we take the demand? What level of encryption to? What can we sacrifice for this?
We know that there is no absolute security in this world, and encryption can be cracked and confused.
Technology small white, developers, hackers, is a completely different level, to prevent different levels of people strategy is not the same.
The greater the protection, the greater the cost of investment, such as hiring a professional security company.
In addition to input, we also need to consider the execution performance and user experience of the program.
Encrypted code must be decrypted at run time, and the execution performance of the program will degrade after confusion, especially when the HTML is confused.
Whether it is really necessary to do this kind of source protection, but also need to be cautious choice.

In general, the front-end code is responsible for the user experience, the backend code, responsible for more secure data processing.
The front-end does not involve leaking too much secret information, then the meaning of encryption is not particularly large.
I seldom see anything in the front-end code that is worth protecting, such as advanced algorithms, where many code is not necessarily sacrificed to the user experience to protect it.
But some front-end code involves the end user's data security, at this time still want to do data protection.

Then the specific analysis of several means.

1. Do not put sensitive data on the front end
   This sounds nonsense, but it's really important.
   It is very dangerous for some developers to save the user's password in plaintext on the phone.
   Even native development, once the phone is rooted, it can also cause data leakage. Not to mention HTML5 development.
   Better practice is the mobile phone token, rather than the password, here is an article dedicated to this piece, involved in the login developers recommend a closer look at the design of the HTML5-based app login function and the way of secure call Interface (principle article)

1. JS, CSS Compression
   Compression is not encryption, nor is it confusing. But the compressed JS file, often also has a confusing function.
   JS, CSS compression is a very common technology, we often see the various framework of the filename is xxx.min.js,xxx.min.css.
   Using the appropriate JS, CSS compression scheme, you can reduce file size, increase loading speed, and most importantly, it can also speed up the execution performance of the program. There is no harm in doing anything but a profit.
   Confused JS more commonly used tools are Yahoo Yui confusion, in the Hbuilder Point menu Tool-plug-in installation, Inside has Yui compress, can compress JS and CSS.
   If JS, CSS is relatively large, pre-release compression is a more recommended practice.

1. HTML, JS, CSS Obfuscation
   Although compression can also be confused, but not to let others do not understand for the purpose, confusion is really to others can not understand for the purpose.
   But this confusion is not as much as compression, and it can reduce the performance of the program execution.
   Some developers do not want the release package can be extracted directly to see the source code, then you can use the obfuscation scheme.
   Web search HTML confusion, data and tools are very many.
   The principle is similar, JS code into a messy string, and then use eval, HTML code into a messy string, with document.write or innerHTML execution, CSS can also be dynamically written in the document.write < Style>.
   These tools are free and commercial, and the more commercial the more difficult it is to be counter-confused.
   This is the free online obfuscation tool http://www.myobfuscate.com
   This is a relatively well-known business tool, http://www.jasob.com.
   In fact, we can also write the confusion algorithm according to the principle.
   Confusion is also a mature technology for years, such as Google's protection of Gmail's front-end code, but also by confusion.
   Whether compression or confusion, using grunt to publish is a good way to develop a key call grunt processing, very convenient.

1. Prevents WebKit remote Debug, which prevents browser console debugging
   Android4.4 and above and iOS are support for WebKit remote debug, and in the Hbuilder tutorial there are tutorials on how to use Chrome to debug Android apps, and use Safari to debug iOS apps.
   In the app developed by Hbuilder, there is a debug tag under Plus-distribute in Manifest.json, labeled false and packaged so that the package runs on the phone and WebView blocks the browser's remote debugging requests.
   If you want to debug, then change debug to True before packaging.
   Of course some Android ROM is not very standard, and can not prevent debugging, this belongs to the ROM bug.

1. Professional encryption and reinforcement shell service
   Due to the specificity of Android, the APK has been reinforced, the shell industry, which is the industry's Common apk protection scheme.
   Many application markets provide reinforcement services, such as the reinforcement of 360 mobile phone assistants,
   
   

2. There are professional firms such as: Love encryption, there are free basic security services, there are also charges for advanced security services.

PostScript, some non-professional security companies to provide the so-called source code encryption services, in fact, is flawed.
Safety is no small matter, the use of professional security services products more reliable.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

About HTML encryption confusion, source protection, code security, prevent decompression directly see the source code