How to protect my web app (scripts, models)?

For scripts, i know there is something like JScompress to make the scripts smaller and unreadable. but how do i do it with Playcanvas? I use Chrome inspect panel to read the downloads, and the scripts are quite readable. Do i have to download the build and compress it myself?

For models, i use Chrome to read the downloads and find out the 3d models are readable JSON, which mean it’s very easy to convert it to any 3d format. Is there any way to make it more secure? How does sketchfab do it?

Also, is it possible to protect the textures instead of sending it as native image files?

Yep. The paid plans allow exporting the build and you can do post build step to compress/obfuscate the JS code.

You are pretty much sending everything over internet to the clients’ machine so it will be readable by the client in some form.

You have to think about protection as Internet content vs a typical game. So the usual copyright, trademark etc. Trying to protect the content is a losing battle to be honest.

It’s possible to extract the artwork from just about any native game.

• Flappy Bird
• Titanfall
• Doom 3
• Call of Duty: Black Ops III

Sketchfab uses OSGJS as its rendering engine. Presumably, the models are in the file format of the engine. It’s not encrypted and I doubt there’s any obfuscation. The nature of the web today is that there is no DRM that can be applied to any web content. There’s always a mechanism to access the downloaded data somehow.

If you don’t want to send JPGs/PNGs to the client, just use the Editor’s ability to compress images to GPU supported formats. You should probably be doing that anyway to use less video memory for your textures.

Lastly, the Editor does minify and obfuscate your game scripts. Just ensure when you publish, you check this box:

image.jpg2147×1224 235 KB

i have tried “concatenate Scripts”, but my scripts in __game-scripts.js are still very readable. i can just beautify it and copy it toanother project.

That’s the best level of JavaScript obfuscation that can be achieved AFAIK. Unless you are aware of better alternatives?

I’ve been using https://obfuscator.io/ for a web page which really mangles the code and trips breakpoints if someone tries to look in devtools. Haven’t tried it with PlayCanvas code yet though so I have no idea if it works or impacts performance.

Code looks like this afterwards:

function(){var _0x25f653={'cOINL':function(_0x390461,_0x43b144){return _0x390461===_0x43b144;},'GykCg':_0xf5244c[_0x58b8('0x17')]};var _0x39bdfd=!![];return function(_0x2f4a36,_0x5a7f2d){var _0xe6e76a=_0x39bdfd?function(){if(_0x5a7f2d){if(_0x25f653[_0x58b8('0x18')](_0x25f653[_0x58b8('0x19')],_0x25f653[_0x58b8('0x19')])){var _0x32b3c2=_0x5a7f2d[_0x58b8('0x1a')](_0x2f4a36,arguments);_0x5a7f2d=null;return _0x32b3c2;}else{if(_0x480577){console[_0x58b8('0x1b')](e);}}}}:function(){};_0x39bdfd=![];return _0xe6e76a;};}();(function(){if(_0xf5244c['PMIts']===_0xf5244c[_0x58b8('0x1c')]){d=ds[i];d[_0x58b8('0x1d')]['display']=displayValue;}else{_0xf5244c[_0x58b8('0x1e')](_0xf6199d,this,function(){var _0x4eb353=new RegExp(_0xf5244c[_0x58b8('0x1f')]);var _0x405e8b=new RegExp(_0xf5244c['PUUNL'],'i');var _0x2372d2=_0xf5244c[_0x58b8('0x20')](_0x1605ac,_0x58b8('0x21'));if(!_0x4eb353[_0x58b8('0x22')](_0xf5244c[_0x58b8('0x23')](_0x2372d2,_0xf5244c['hySTV']))||!_0x405e8b['test'](_0xf5244c[_0x58b8('0x23')](_0x2372d2,_0xf5244c[_0x58b8('0x24')]))){if(_0xf5244c[_0x58b8('0x25')]===_0xf5244c[_0x58b8('0x26')]){return-0x1;}else{_0xf5244c[_0x58b8('0x20')](_0x2372d2,'0');}}else{_0x1605ac();}})();}}());var _0x111c2a=function(){var _0x31490e={'WxboR':function(_0x9922d2,_0x4f545b){return _0xf5244c[_0x58b8('0x27')](_0x9922d2,_0x4f545b);},'yCWKZ':_0xf5244c[_0x58b8('0x28')],

Okay. Here is my conclusion after some more experiment.

The latest web browsers (chrome/firefox) seems avoiding NinjaRipper ripping the models. i can only get some useless fragments. But with an older firefox, i can rip the models through Ninja Ripper.It works perfectly with PlayCanvas, but for sketchfab, it can only get a messed up model. So I guess they have added some obfuscation,their model probably only works with correct shader.

I just tried obfuscator.io on my own project and it works quite well. It’s a simple project at the moment so I haven’t noticed any performance impact. It’s possible that might change as the project grows, but so far so good.

Thanks for the suggestion!

It would be great to have an obfuscation option for download.

I think I read somewhere that code published within the PlayCanvas site is obfuscated by default, it would be good to have the same obfuscation option here for the download option.

I think the concatenate option does more than just concatenate and minify. Hey, @vaios, doesn’t it also obfuscate?

I dunno. I’m no expert, but just today I wanted to make a simple modification to a script without doing the full publish. It was simply a matter of removing two // marks to un-remark a line … or so I thought.

Turns out that the remark was removed by the concatenation process. So, no big deal. I’ll just type it in manually. But hold on. The existing script seems to be breaking the rules about using a semicolon at the end of some lines. Hmmm… So I insert my line anyway and it broke a completely unrelated part of the app. So I just went ahead and made the simple change in editor and re-published and then went and looked to see what the change looked like in the final __game-scripts.js. That’s when I noticed that event.event.preventDefault was now t.event.preventDefault.

So the concatenation is also doing more than simply running all the lines together. Of course this doesn’t make it highly secure or even very secure. But it does mean somebody has to go to a fair bit of trouble to get your code and make it work.

It minifies and renames variables. That option is available whether you publish or download a build. We recently added the option to also generate source maps so you can debug a minified build more easily.