locked
Will users be able to see my app code?

    Question

  • For the application that I deploy will users be able to see my JS, HTML and CSS code? In a normal web browser you can view source but I can't seem to do that with the Metro apps so I just wanted to confirm this was the case. 

    Will I need to run an obfuscation tool against it to really protect myself?



    C#, ASP.NET San Diego, California programmer

    Saturday, March 17, 2012 11:39 PM

Answers

  • Hi,

    Obfuscation is needed if you want to protect your code because end users can see the source code. To see source code, you can run the Metro style application and use Task Manager to "Open file location". Then you'll be able to see all code of this application.


    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Monday, March 19, 2012 6:19 AM
  • Obfuscation protects you against one and exactly one thing: someone copy-pasting your code directly into their app and having the benefit of your awesome formatting and comments. It should not be considered a true security measure as it can be prettified and deciphered just like any managed code out there. Any code that is running on the client machine should be considered totally visible to the user of the client machine.

    Also worth considering is if you minify your code, the callstacks you get back from the store for crashing apps will contain the minified function names and might not be terribly useful for you.

    Cheers,

    -Jeff

    Monday, March 19, 2012 5:43 PM
  • ive also noticed you can easily view the source of javascript based apps which is a bit of a security risk if your code includes urls to servers which store data and payment processors that type of thing so it would be best to obfuscate and minify your code.  it would be great if this could be done automatically by the windows store on app submission for that extra piece of mind and i know microsoft or under no obligation to do anything like that but it would be an added bonus for javascript developers

    a quick search on bing for javascript obfuscators and minifiers will bring up a good collection of free services you can use

    Monday, March 19, 2012 1:04 PM
  • Obsucation won't help if your web services aren't secure. That's another thing altogether.
    Monday, March 19, 2012 3:07 PM

All replies

  • Hi,

    Obfuscation is needed if you want to protect your code because end users can see the source code. To see source code, you can run the Metro style application and use Task Manager to "Open file location". Then you'll be able to see all code of this application.


    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Monday, March 19, 2012 6:19 AM
  • ive also noticed you can easily view the source of javascript based apps which is a bit of a security risk if your code includes urls to servers which store data and payment processors that type of thing so it would be best to obfuscate and minify your code.  it would be great if this could be done automatically by the windows store on app submission for that extra piece of mind and i know microsoft or under no obligation to do anything like that but it would be an added bonus for javascript developers

    a quick search on bing for javascript obfuscators and minifiers will bring up a good collection of free services you can use

    Monday, March 19, 2012 1:04 PM
  • Obsucation won't help if your web services aren't secure. That's another thing altogether.
    Monday, March 19, 2012 3:07 PM
  • Obfuscation protects you against one and exactly one thing: someone copy-pasting your code directly into their app and having the benefit of your awesome formatting and comments. It should not be considered a true security measure as it can be prettified and deciphered just like any managed code out there. Any code that is running on the client machine should be considered totally visible to the user of the client machine.

    Also worth considering is if you minify your code, the callstacks you get back from the store for crashing apps will contain the minified function names and might not be terribly useful for you.

    Cheers,

    -Jeff

    Monday, March 19, 2012 5:43 PM