2.1. Highest security and performance¶
The following options could improve security
--enable-rftalmost doesn’t impact performance
--enable-bcceven a little faster than plain script, but consume more memory to load binary code
--enable-jitprevents from static decompilation
--enable-themidaprevents from most of debuggers, only available in Windows, and reduce performance remarkable
--mix-strprotects string constant in the script
pyarmor cfg mix_argnames=1may broken annotations
2could make more difficult to reverse byte code
The following options hide module attributes
The following options prevent functions or modules from replaced by hack code
Using default options and the following settings
By these options, the security is almost same as .pyc
In order to improve security, and doesn’t reduce performance, also enable RFT mode
If there are sensitive string, enable mix-str with filter
pyarmor cfg mix.str:includes "/regular expression/"
Without filter, all of string constants in the scripts are encrypted, it may reduce performance. Using filter only encrypt the sensitive string may balance security and performance.
For Django application or serving web request
For most of applications and packages
If RFT mode and BCC mode are available
If RFT mode and BCC mode are not available
--privatefor scripts, or
If care about monkey trick, also
--assert-callwith inline marker to make sure all the key functions are protected
If it’s not performance sensitive, using
--enable-themidaprevent from debuggers
Move main script module level code to other module
Pyarmor will clear the module level code after the module is imported, the injected code could not get any module level code because it’s gone.
But the main script module level code is never cleared, so moving un-necessary code here to other module could improve security.