Hacker News new | ask | show | jobs
by chrisohara 5173 days ago
as I said above, de-obfuscating a large javascript app that's been obfuscated/minified by proprietary tools is virtually impossible to decode. Try running some of google's code - gmail, docs, take your pick - through your beautifier ;)
1 comments
rralian 5172 days ago
I don't know if anybody uses proprietary tools to minify and obfuscate their javascript. We all use the same minification tools, with different features selected. Seems like most people use YUI compressor, or one of the others listed here http://compressorrater.thruhere.net/. I assume Google is using their closure tools (which I've never played with myself).

It's a lot easier to reverse-engineer the site than to build it from scratch yourself. You won't get all the comments, and some of the names of functions and variables and whatnot may lose their semantic meaning in favor of shorter names. But yes, it is trivial to unminify the source and work through it. If it's 10k+ lines of code, that's never trivial to understand and get it all in your head, but the concern is absolutely valid. If you think minifying/obfuscating is securing your code intellectual property, you're fooling yourself. It's like security through obscurity... it's not really offering you any protection.

link
sjs 5170 days ago
That doesn't sound right to me. People will rewrite code that already exists as open source because they don't want to take the time to understand someone else's code. But you're saying that some will reverse engineer a JS app from minified code rather than just rewrite it. Are there any examples of this actually happening?

I'm a curious guy and have deciphered small-ish amounts of minified and/or obfuscated JS before. It is absolutely not trivial. Especially if it's obfuscated.

link
rralian 5160 days ago
I'm mostly responding to your comment here.

"un-minifying or un-obfuscating JavaScript is not a trivial exercise by any means."

I think you mean that understanding obfuscated code is not trivial. Un-minifying is certainly trivial. There are tools to do it for you. There's no such thing as un-obfuscating, if you consider that you can't get the original comments or all the semantic naming back. So I'll concede that it's more difficult to read through this obfuscated code than the original. But the original comment in this long thread seems valid to me... that an entirely client side app puts you at much greater risk for cloning than an app with a significant portion of code in back-end, just because your javascript is out there for all to see.

link