Please ensure Javascript is enabled for purposes of website accessibility
× *Our Top 5 Web Hosting Companies of 2024 See Official List

How Secure is PHP Bytecode Obfuscation?

shutterstock_265479446

PHP is one of the more popular web designing programs out there. Thousands of programmers and web developers choose it as their coding language of choice because of its simplistic syntax, ease of integration with other languages and platforms as well as its light, yet robust features which can be put to use in complex sites without being much of a drain on system resources.

But it is these simpler and easy to use features that make the same programmers and developers lose sleep at night. With a little tech knowhow, anyone can take a peek at the source code of almost any PHP website and figure out not only how the website works, but even access some personal information like email addresses, usernames and passwords.

After one too many nights lying awake some tech guy came up with the idea of encoding the source codes written in PHP and dubbed it “PHP bytecode obfuscation” – yes, we’re still slowly shaking our heads too.

Obfuscation, in software development, is the trick of transforming regular programming code into complicated text that cannot be easily deciphered or comprehended by anyone taking a looking at it. Some obfuscation software simply replace certain letters with other ones while other, more complicated ones, take entire program statements and make them do roundabout and absolutely useless functions to confuse readers.

The main purposes programmers and developers choose to obfuscate their code are, apart from confusing prying eyes, to hide logical calculations, to stop other programmers from meddling with the source code and to prevent competitors from taking and reverse engineering copyrighted or patented software.

And then there are those coders and developers that are so crazy in love with their jobs (writing code all day) decided they wanted to create a way to entertain themselves by, you guessed it, writing and deciphering even more code for the rest of the day. Believe it or not, coders actually obfuscate their code and use them as brain teasers among themselves – even more amazing, the activity has become so popular there are actual worldwide contests held to see whose code is either the most unreadable or has been rendered into the most artistic of images. Don’t believe it? Google is your friend.

But in all seriousness how effective is all this obfuscation? Is it really so secure that there is no way it can be reversed?

Well, the most common argument that is used to answer the questions is: if a layperson – who couldn’t make head or tail of un-obfuscated code if their life depended on it – were involved, it would be an absolute waste to do it. But if an expert coder were to access the obfuscated code they would eventually, sooner or later, be able to decode it – it would be fun for them. Hence, why even bother?

So, in short, they say obfuscation really doesn’t serve any purpose. They also argue, for every obfuscation application that is released on the market, there is an anti-dote (de-obfuscator) that is created and released a couple of weeks after it.

Apart from that, critics of the method list a number of additional reasons to avoid doing it at all. Here are a few of them:

  1. Obfuscators, in an attempt to do a good job of hiding code, have become more and more complicated. Anyone but the most experienced of users implementing them on their code could cause problems ranging from their programs not working as well as they are supposed to – if at all – to even causing the site to crash completely.
  2. In case of crashes being caused by obfuscators, debuggers are totally useless as they cannot find the code that is causing all the problems – it’s been encoded, remember?
  3. An innocently written code behind a website which works perfectly and is absolutely harmless can be perceived to be a dangerous host with malicious code running in the background by some antivirus applications simply because they won’t take any chance with code they can’t decipher. If your site is flagged by any of the major antivirus software your domain name could end up being blacklisted.
  4. A source code that has been obfuscated requires more resources to run because it needs to be “translated” back to its original form before it can be put to use. The longer your code is and the more obfuscated it is, the longer the processing time involved.
  5. Similar to above, any code that has been obfuscated will contain much more lines of code to be read and executed. Apart from longer execution times files will be much larger.
  6. At the moment there are any numbers of obfuscation applications on the market with price ranges from $0 to over $1,000. The problem is there is almost no way of telling if the most expensive one of them is any more effective than the free one.

Therefore, in conclusion, the general argument is that the hassle of going through obfuscation of PHP bytecode really isn’t worth the money, time and effort. Besides, the year is 2015 – any application you use to write your code should have the necessary security features embedded in them, thus requiring no additional measures be taken.

×

Customer Service*
Ease of use*
User Base*
Technology*
Pricing*
Overall Satisfaction*
Your feedback*
Name*
Email*

Thank you for your interest in rating ! Your feedback will not be posted on this site.

Fill in missing and/or invalid fields.
Thank you for submitting your review!