2.1. Highest security and performance
Contents
2.1.1. What’s the most security pyarmor could do?
The following options could improve security
--enable-rft
almost doesn’t impact performance--enable-bcc
may be a little faster than a plain script, but it consumes more memory to load binary code--enable-jit
prevents static decompilation--enable-themida
prevents most of debuggers, only available in Windows, and reduces performance remarkably--mix-str
protects string constants in the scriptpyarmor cfg mix_argnames=1
may broken annotations--obf-code
2
could make it more difficult to reverse byte code
The following options hide module attributes
--restrict
also not allow plain script import obfuscated module
The following options prevent functions or modules from being replaced by hack code
2.1.2. What’s the best performance pyarmor could do?
Using default options and the following settings
pyarmor cfg restrict_module=0
With these options, the security is almost the same as .pyc
In order to improve security, and doesn’t reduce performance, also enable RFT mode
If there are sensitive strings, enable mix-str with filter
pyarmor cfg mix.str:includes "/regular expression/"
Without the filter, all of the string constants in the scripts are encrypted, which may reduce performance. Using filter only encrypt the sensitive string may balance security and performance.
2.1.3. Recommended options for different applications
For Django application or serving web request
For most applications and packages
If RFT mode and BCC mode are available
--mix-str
with filterIf RFT mode and BCC mode are not available
--mix-str
with filterIf care about monkey trick, also
--assert-call
with inline marker to make sure all the key functions are protectedIf it’s not performance sensitive, using
--enable-themida
prevent from debuggers
2.1.4. Reforming scripts to improve security
Move main script module level code to other module
Pyarmor will clear the module level code after the module is imported, the injected code could not get any module level code because it’s gone.
But the main script module level code is never cleared, so moving unnecessary code here to another module could improve security.