How to hide library source code in Google way?

2
votes

For instance, I have a library and I would like to protect the source code to being viewed. The first method that comes to mind is to create public wrappers for private functions like the following

function executeMyCoolFunction(param1, param2, param3) {
  return executeMyCoolFunction_(param1, param2, param3);
}

Only public part of the code will be visible in this way. It is fine, but all Google Service functions look like function abs() {/* */}. I am curious, is there an approach to hide library source code like Google does?

Edit 00: Do not "hide" a library code by using another library, i.e. the LibA with known project key uses the LibB with unknown project key. The public functions code of LibB is possible to get and even execute them. The code is

function exploreLib_(lib, libName) {
  if (libName == null) {
    for (var name in this) {
      if (this[name] == lib) {
        libName = name;
      }
    }
  }
  var res = [];
  for (var entity in lib) {
    var obj = lib[entity];
    var code;
    if (obj["toSource"] != null) {
      code = obj.toSource();
    }
    else if (obj["toString"] != null) {
      code = obj.toString();
    }
    else {
      var nextLibCode = exploreLib_(obj, libName + "." + entity);
      res = res.concat(nextLibCode);
    }
    if (code != null) {
      res.push({ libraryName: libName, functionCode: code });
    }
  }
  return res;
}

function explorerLibPublicFunctionsCode() {
  var lstPublicFunctions = exploreLib_(LibA);
  var password = LibA.LibB.getPassword();
}
2
google-apps-script

2 Answers

0
votes

I don't know what google does, but you could do something like this (not tested! just an idea):

function declarations:

var myApp = {
  foo: function { /**/ },
  bar: function { /**/ }
};

and then, in another place, an anonymous function writes foo() and bar():

(function(a) {
  a['\u0066\u006F\u006F'] = function(){
    // here code for foo
  };
  a['\u0062\u0061\u0072'] = function(){
    // here code for bar
  };
})(myApp);

You can pack or minify to obfuscate even more.

0
votes

Edit: changed my answer to reflect the fact that an exception's stacktrace will contain the library project key.

In this example, MyLibraryB is a library included by MyLibraryA. Both are shared publicly to view (access controls) but only MyLibraryA's project key is made known. It appears it would be very difficult for an attacker to see the code in MyLibraryB:

//this function is in your MyLibraryA, and you share its project key
function executeMyCoolFunction(param1, param2, param3) {
  for (var i = 0; i < 1000000; i++) {
    debugger; //forces a breakpoint that the IDE cannot? step over
  }
  //... your code goes here
  //don't share MyLibraryB project key
  MyLibraryB.doSomething(args...); 
}

but as per the @megabyte1024's comments, if you were to cause an exception in MyLibraryB.doSomething(), the stacktrace would contain the project key to MyLibraryB.