Chrome extension - encrypting data to be stored in chrome storage

Question

I have a chrome extension which stores some user data locally using the chrome.storage API.

So, quoting from the documentation:

Confidential user

Answer 1

DISCLAIMER

No effort whatsoever in obfuscating client-side JavaScript will make it secure enough. Solutions like WebAssembly provide better performance and make the code more complex to reverse-engineer, but obviously total security is never going to be available client-side, so the only good and reliable option is to build a secure server-side.

This is really only useful if you want to have fun and experiment with code obfuscation, never rely on obfuscation if you want to secure sensitive data.

Furthermore, depending on the platform you are working on, publishing obfuscated code could very well be against the terms of service, so be sure to check those first.

---

To encrypt your data there's a useful tool called CryptoJS, which is a library for encryption/decryption algorithms. Let's say you want to encrypt some data so it can only be accessible with a certain passphrase, then you'll do something like this:

var encrypted = CryptoJS.AES.encrypt("Message", "Secret Passphrase");
var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");

Encoding your data will not make attackers unable to decode it if you use common algorithms and plain text JavaScript. If you want to go a little bit further, you can scramble or obfuscate your JS functions using some tools like:

• JavascriptObfuscator
• JSObfuscate
• JScrambler (not free)
• Jasob (not free)
• etc (just search on google)...

Here is an example of the above snippet obfuscated using the tools I linked above (1 time jsobfuscate and 1 time javascriptobfuscator):

var _0x7390=["\x31\x20\x35\x3D\x30\x2E\x33\x2E\x37\x28\x22\x36\x22\x2C\x22\x34\x20\x32\x22\x29\x3B\x31\x20\x38\x3D\x30\x2E\x33\x2E\x39\x28\x35\x2C\x22\x34\x20\x32\x22\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x43\x72\x79\x70\x74\x6F\x4A\x53\x7C\x76\x61\x72\x7C\x50\x61\x73\x73\x70\x68\x72\x61\x73\x65\x7C\x41\x45\x53\x7C\x53\x65\x63\x72\x65\x74\x7C\x65\x6E\x63\x72\x79\x70\x74\x65\x64\x7C\x4D\x65\x73\x73\x61\x67\x65\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x64\x65\x63\x72\x79\x70\x74\x65\x64\x7C\x64\x65\x63\x72\x79\x70\x74","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf4e9x1,_0xf4e9x2,_0xf4e9x3,_0xf4e9x4,_0xf4e9x5,_0xf4e9x6){_0xf4e9x5=function (_0xf4e9x3){return _0xf4e9x3;} ;if(!_0x7390[5][_0x7390[4]](/^/,String)){while(_0xf4e9x3--){_0xf4e9x6[_0xf4e9x3]=_0xf4e9x4[_0xf4e9x3]||_0xf4e9x3;} ;_0xf4e9x4=[function (_0xf4e9x5){return _0xf4e9x6[_0xf4e9x5];} ];_0xf4e9x5=function (){return _0x7390[6];} ;_0xf4e9x3=1;} ;while(_0xf4e9x3--){if(_0xf4e9x4[_0xf4e9x3]){_0xf4e9x1=_0xf4e9x1[_0x7390[4]]( new RegExp(_0x7390[7]+_0xf4e9x5(_0xf4e9x3)+_0x7390[7],_0x7390[8]),_0xf4e9x4[_0xf4e9x3]);} ;} ;return _0xf4e9x1;} (_0x7390[0],10,10,_0x7390[3][_0x7390[2]](_0x7390[1]),0,{}));

It looks clear that this code is impossible to read. If you repeat the obfuscation algorithm several times with different tools then you'll decrease the chance of anyone being able to understand it at first sight, even though that data stored on the client side of a Chrome Extension like this is never safe from somebody who has full access to the machine where it is stored. Anyone using a deobfuscator could be able to reverse engineer your code and understand it.