Performance Considerations

Code obfuscation with ByteHide Shield improves security but can impact your application's performance. This guide helps you understand the performance implications of different obfuscation options and how to strike the right balance between security and speed.

Performance Impact Overview

Different protection features have varying levels of performance impact:

High-Impact Features

Control Flow Flattening

This transformation significantly alters the flow of your code, resulting in the largest performance hit. The impact depends on the controlFlowFlatteningThreshold setting:

{
  "controlFlowFlattening": true,
  "controlFlowFlatteningThreshold": 0.7 // Recommended for balanced approach
}

Recommendations:

• For performance-critical code, use a low threshold (0.1-0.3)
• For security-critical sections that aren't called frequently, use higher thresholds (0.7-1)
• Apply selectively using exclusions for performance-critical paths

Dead Code Injection

This adds random blocks of code that will never execute but makes analysis harder. The performance impact is mostly in load time and memory usage rather than runtime:

{
  "deadCodeInjection": true,
  "deadCodeInjectionThreshold": 0.4 // Balanced approach
}

Recommendations:

• Use lower thresholds (0.1-0.3) for mobile applications
• Consider disabling this feature for low-end devices

String Array and Transformations

The String Array feature moves string literals to a separate array and replaces them with array lookups:

{
  "stringArray": true,
  "stringArrayThreshold": 0.75,
  "stringArrayEncoding": ["base64"], // Encoding adds extra runtime overhead
  "stringArrayCallsTransform": true  // Adds additional protection but impacts performance
}

Recommendations:

• Reduce stringArrayThreshold to protect only critical strings
• Limit encoding to important strings with stringArrayEncoding
• For better performance, avoid rc4 encoding in favor of base64 or no encoding

Medium-Impact Features

Self-Defending

This feature adds protection against code modifications and tampering:

{
  "selfDefending": true
}

Recommendations:

• Use in production environments where code isn't expected to change
• Consider disabling for development to improve build times

Debug Protection

Adds mechanisms to prevent debugging tools from working properly:

{
  "debugProtection": true,
  "debugProtectionInterval": 2000 // Lower values have less impact
}

Recommendations:

• Be cautious with debugProtectionInterval as high values can affect UI responsiveness
• Use smaller intervals (1000-2000ms) for better performance

Low-Impact Features

These features have minimal performance impact and can be safely enabled in most cases:

{
  "identifierNamesGenerator": "hexadecimal",
  "renameGlobals": false,
  "splitStrings": true,
  "splitStringsChunkLength": 10,
  "transformObjectKeys": false,
  "unicodeEscapeSequence": false
}

Optimizing Application Size

Code obfuscation typically increases your JavaScript bundle size:

Recommendations for size optimization:

1. Use code splitting to obfuscate only necessary chunks
2. Apply more aggressive obfuscation only to critical code paths
3. Use exclusions for large third-party libraries
4. Enable compact: true to minimize whitespace

Environment-Based Configurations

Different environments often require different approaches to obfuscation:

Development

{
  "compact": true,
  "controlFlowFlattening": false,
  "deadCodeInjection": false,
  "debugProtection": false,
  "disableConsoleOutput": false,
  "stringArray": true,
  "stringArrayThreshold": 0.25,
  "sourceMap": true
}

Production

{
  "compact": true,
  "controlFlowFlattening": true,
  "controlFlowFlatteningThreshold": 0.5,
  "deadCodeInjection": true,
  "deadCodeInjectionThreshold": 0.4,
  "debugProtection": true,
  "disableConsoleOutput": true,
  "selfDefending": true,
  "stringArray": true,
  "stringArrayThreshold": 0.75,
  "sourceMap": false
}

Mobile Web

{
  "compact": true,
  "controlFlowFlattening": true,
  "controlFlowFlatteningThreshold": 0.3,
  "deadCodeInjection": false,
  "stringArray": true,
  "stringArrayThreshold": 0.5,
  "stringArrayEncoding": [],  // No encoding for better performance
  "selfDefending": true
}

Measuring Performance Impact

To assess the performance impact of your obfuscation settings:

1. Create performance benchmarks before applying obfuscation
2. Test with different configurations to find the right balance
3. Profile load time and runtime performance separately
4. Monitor real-world metrics like First Contentful Paint and Time to Interactive

Tools that can help measure performance impact:

• Chrome DevTools Performance panel
• Lighthouse
• WebPageTest
• Browser performance APIs

Best Practices for Performance

1. Start with minimal obfuscation and gradually increase as needed
2. Test on target devices, especially for mobile applications
3. Apply stronger obfuscation only to security-critical components
4. Use code splitting to obfuscate only what needs protection
5. Create separate bundles with different obfuscation levels
6. Keep track of bundle size and loading performance metrics
7. Consider fallback options for low-end devices
8. Exclude performance-critical sections from heavy obfuscation
9. Test the UX impact of protection measures, especially debug protection
10. Monitor performance in production to detect any issues

By carefully balancing security needs with performance considerations, you can achieve strong code protection while maintaining good application performance and user experience.