locked
How to secure application source code in WinJS

    Question

  • I have a question about source code security in Windows Store application developed using HTML/JavaScript (or even some XAML/C# apps)

    I, and everybody out there, know that if we can access to some specific directory of the PC as administrator, we can see the source code of any apps installed from Windows Store. And I'm sure 99.99% of Windows Users in this world are administrator users.

    Is there any way that I can protect the source code of my application, I am not possessive of my code at all, but I know most of others do.

    One more important thing is. How do I, other than including in the code, put my web service client secret? Think about Facebook application secret or Twitter client secret. I have to include those information in the source code. Is there any techniques I can do?


    Thiwakorn Faengrit Associate Technical Evangelist, DPE Microsoft (Thailand)

    Friday, December 14, 2012 10:26 AM

Answers

  • See the sticky post at the top of the forum for your security question.

    I am glad you are certified!  You do not have to minify the 3rd party libraries.  There is no performance benefit since it will be pre-compiled per the reference I gave you above.

    -Jeff


    Jeff Sanders (MSFT)

    Tuesday, December 18, 2012 1:54 PM
    Moderator

All replies

  • It's a good question, I never really wondered if the JS code was accesible using an admin account on the PC/Tablet.

    I found that minification was somehow of a good tool (on websites at least, but I figure it may apply on Store apps) to secure the code, making it pretty hard to read (its not compiling or encrypting thought). It should be a something done before generating the deploy (otherwise debugging it pretty hard).

    The question is on this case what tool to use for Store apps, you can use JSMin or Microsoft Ajax Minifier on a deployment process for a website, but I never tried it including it on the publishing tasks  on a Store App only on C# Websites, I'm not sure how feasible is to automate the process in this case.

    Saturday, December 15, 2012 2:29 AM
  • I've had trouble getting apps to successfully pass technical validation with any form of minification at all.
    • Edited by tt92618 Monday, December 17, 2012 12:33 AM
    • Proposed as answer by TK MAHATO Tuesday, December 18, 2012 6:07 PM
    Monday, December 17, 2012 12:32 AM
  • If you minify you need to ensure the minification retains the BOM.

    http://msdn.microsoft.com/en-us/library/windows/apps/hh849088


    Jeff Sanders (MSFT)

    Monday, December 17, 2012 1:17 PM
    Moderator
  • Thanks Jeff.

    I've had issues here even after ensuring that BOM was included.  These issues occurred with the minified versions of popular libraries like jQuery and Raphael.  

    In order to pass technical certification I eventually wound up eliminating of those libs included in my app package.

    I don't think, by the way, that these issues are a result of problems within bytecode generation; the apps run just fine with the minified libs.  However, it seems to be an issue somewhere in the certification process.

    Anyway, I'm curious to know whether or not an admin user can directly modify the JS files inside a package.  If so, this could make almost any JS / HTML5 app easy prey for unlocking.

    Tuesday, December 18, 2012 6:03 AM
  • See the sticky post at the top of the forum for your security question.

    I am glad you are certified!  You do not have to minify the 3rd party libraries.  There is no performance benefit since it will be pre-compiled per the reference I gave you above.

    -Jeff


    Jeff Sanders (MSFT)

    Tuesday, December 18, 2012 1:54 PM
    Moderator
  • Thank you for pointing me to the sticky post. I was too hurried to post this.

    I have a little question.

    Will there be minify or obfuscation or encryption or any process to improve application security in the future built-in the process of Windows Store submission before it goes to user's PC?

    And I still don't know any better way to store my Facebook application secret.



    • Edited by Thiwakorn Tuesday, December 18, 2012 8:05 PM
    Tuesday, December 18, 2012 3:45 PM
  • nice question!!!
    Tuesday, December 18, 2012 5:42 PM
  • You are welcome.

    We do not discuss any future plans until they have been publically announced.

    -Jeff


    Jeff Sanders (MSFT)

    Tuesday, December 18, 2012 7:53 PM
    Moderator