Executive Summary (TL;DR)
- JavaScript is the most popular scripting language due to its ease of use, large online support community, and use in most web browsers. Mobile app developers prefer it when using cross-platform app frameworks.
- The popularity of JavaScript makes it a target for malicious threat actors looking to exploit the language’s vulnerabilities to steal code and reverse engineer mobile apps.
- Adding multiple JavaScript obfuscation techniques such as name, control flow, and arithmetic into your mobile app’s SDLC can help protect against intellectual property theft, reputational damages, and loss of revenue.
As of 2022, Javascript is the most commonly used programming language among software developers. A Statista-published study revealed that a whopping 65% of respondents from around the world use JavaScript more than any other programming language. For developers, the advantages of using JavaScript are pretty clear: it’s easy to use, offers a large online support community, and is embedded in most web browsers.
JavaScript’s popularity also translates to mobile app development. As cross-platform app frameworks increase in popularity, developers worldwide favor products such as React Native and Cordova. These frameworks use JavaScript in conjunction with other markup languages to help developers keep their mobile app development costs low and quickly build an app that is accessible across a large number of devices.
More popularity, more problems
It’s important to consider, however, that JavaScript’s overall popularity in the app development space equals increased attention from malicious threat actors. The same aspects of JavaScript’s architecture that make it easy to use, like the wide availability of open-source libraries, also make it more vulnerable to attacks.
JavaScript’s vulnerabilities can lead to reverse engineering and other mobile app security threats as highlighted by AT&T. We also saw this with the Instagram clone app that was recently released (and subsequently pulled) from the App Store. The OG App’s developers reverse-engineered Instagram, which is written using the React Native framework, to allow their app’s users to access a stripped-down version of the original Instagram app. Both the OG App’s and AT&T-highlighted supply chain issues stemmed from attackers targeting and exploiting vulnerabilities in JS frameworks. These examples highlight the need for increased mobile app security.
Building better security into your mobile app
One of the best ways to add security to your mobile apps built with JavaScript is with obfuscation. JavaScript obfuscation transforms easy-to-read code into another form that is more complex and harder to understand and reverse engineer.
Techniques to obfuscate JavaScript are varied and it can be tough to know where to start. In this post, we’ll discuss what you stand to lose if you don’t protect your mobile app’s JavaScript code, the top obfuscation techniques, and how to integrate obfuscation into your software development lifecycle (SDLC).
The risks of unprotected JavaScript code
JavaScript obfuscation is key to adequately protecting your mobile application. Without it, you risk code theft, which happens when malicious actors are able to access your application’s underlying code. This can result in:
- Threat actors reusing code or your proprietary algorithms within their own apps.
- Modification of your app to bypass premium or paid feature checks.
- Distribution of clone apps on third-party app stores.
- Repacking of your app with malware or trojans.
You’ve spent considerable time developing your app. The protection that obfuscation offers can help you avoid intellectual property theft, reputational damages, and loss of revenue. Let’s look at some of the best obfuscation techniques for your mobile app.
Top JavaScript obfuscation techniques
1. Name obfuscation
This type of obfuscation, also referred to as renaming, replaces readable names in your code with alternatives that are difficult to decipher. In name obfuscation, meaningful terms like class, field, and method names are swapped with meaningless strings that don’t change the program’s logic.
It’s important to note that while name obfuscation is one of the most common obfuscation techniques, it isn’t particularly useful as a sole technique when pitted against decompilers. Some decompilers use pattern recognition and semantic analysis to guess possible identifier names or rename identifiers using standard names. Consequently, we suggest developers avoid using name obfuscation as their sole technique; instead, you should combine it with at least one additional obfuscation technique.
2. Control flow obfuscation
With control flow obfuscation, JavaScript code is made to look like spaghetti logic. In spaghetti logic, JavaScript code is transformed into code that lacks coherent structure. The program’s logic never appears to return to a base point, but simply moves from routine to routine. The strength of control flow obfuscation lies in its unpredictability; this makes the code difficult for both human eyes and decompilers to follow.
There are multiple ways to implement control flow obfuscation. Developers may choose a simpler version (inserting opaque predicates) or a more complex form (inserting linked jump instructions) depending on their app’s needs.
3. Arithmetic obfuscation
Arithmetic obfuscation converts your JavaScript code from simple arithmetic and logical expressions into more complex equivalents. There’s a particular form of arithmetic obfuscation considered especially effective against static and dynamic reverse engineering. The technique, Mixed Boolean-Arithmetic (MBA) obfuscation, combines arithmetic operations with Boolean operations (like “and,” “or,” and “not”), and adds them to your code’s logic.
These three techniques are just a few examples of obfuscation techniques you can use. Other examples include code virtualization; packing, which compresses the entire program to make the code unreadable; and dummy code insertion. Once you’ve decided which obfuscation methods to use in your JavaScript code, it’s important to consider how you’ll integrate your chosen obfuscation techniques into the software development lifecycle (SDLC).
How to incorporate JavaScript obfuscation into your SDLC
1. Opt for automated obfuscation over manual
While some developers choose to manually obfuscate their code, the task can be tedious and may slow down the development process, is error-prone and complex to maintain. Overall it can delay the release of an application. Instead, we recommend automating the obfuscation process by using a JavaScript obfuscator. The obfuscator that you choose should enable you to implement basic obfuscation techniques with little configuration needed while also allowing for more complex security later in the app’s SDLC.2. Ensure that the JavaScript obfuscator is compatible with your app’s source code
If you’re working with an incompatible obfuscator, it may fail to recognize the JavaScript libraries and frameworks that you’re using to build your app. Your team would either have to start from scratch with a new JavaScript obfuscator, or adapt your source code to work properly with the existing obfuscator — a process that can cause considerable delays in the development process.Researching your obfuscator ahead of time to ensure that it is compatible with your libraries and frameworks is a simple step that can save your development team time (and frustration) later on in the SDLC.
3. Construct a comprehensive source map
If you’re using an obfuscator, you’ll need to have a comprehensive source map. Source maps contain crucial information about your original files and allow you to return your code/files, if necessary, to an unbuilt state. After all, obfuscation is meant to make the code unreadable for threat actors, not you, the developer.Each of the items above can help you integrate JS obfuscation into your SDLC with minimal disruption. You’ll also want to ensure that your chosen obfuscation tools offer the support and security you need. For more help in choosing the right JavaScript obfuscator, check out our previous post, 5 Things to Look for in Android Obfuscation Tools.
Final thoughts on JavaScript obfuscation
As long as JavaScript retains its popularity and ease of use, it will continue to be a widely used mobile app programming language. With wide usage, there will always be malicious threat actors looking for vulnerabilities to access your mobile app’s underlying code. Implementing JavaScript obfuscation can help you adequately protect your app against code theft and reverse engineering. At Guardsquare, we always recommend a multi-layered approach to mobile app security, even with obfuscation. Carefully considering your app’s unique security needs can help you choose the best obfuscation techniques to protect your JavaScript code.