Jscrambler

5 Steps to Fine-tune your Jscrambler Application

June 21st, 2017 | By Carlos Matias | 5 min read

Last updated on February 16th, 2021

Do you know how to fine-tune your Jscrambler application?

At Jscrambler, we go the extra mile to make sure our product is easy and intuitive to use. But when you’re developing software that is required to be highly performant, there might be a need for additional configuration.

In this article, we will go in-depth into some features and strategies you can use to make your application as protected as possible while maintaining a high degree of your application’s original performance.

Be aware of the transformation’s potency and resilience!

Jscrambler offers a different number of transformations with distinct levels of potency and resilience which are two metrics associated with obfuscation.

Potency translates how hard it is for a human to understand the code; resilience translates how difficult it is for a machine to defeat the protection applied.

Our documentation provides an estimate of the potency, resilience, and cost of each transformation.

jscrambler-potency-resilience-and-cost-valuesIf you want to protect strings in your code, Jscrambler offers four distinct transformations, String Splitting, String Encoding, String Concealing, and Char To Ternary Operator.

These transformations have distinct levels of potency, resilience, and cost, which means that, if you want to protect strings, choosing the most powerful one (String Concealing) should be enough to provide a high degree of protection and not impact the cost too much, whereas selecting all possible transformations could bloat the code, impacting performance.

If protecting strings is not one of the main concerns, then opt for a less powerful transformation as it will provide a lesser degree of protection but will keep your code performant.

Step into Advanced Mode

Jscrambler offers two distinct ways of selecting the transformations that will be applied to the code: Targets and Advanced.

Whenever selecting a target in the "Targets" mode, Jscrambler will select all the transformations available for that target (you can step into the Advanced mode and check the mapping) and apply the default parameterization of the transformation.

The "Targets" mode allows you to select which targets of your application you want to protect. By targets, we mean any of JavaScript's building blocks (e.g., predicates, statements, booleans, and numbers).

By going into the "Advanced" mode, you can select each individual transformation and its parameterization. You should mix and match transformations and arrive at a degree of protection you deem fit.

If you have any questions regarding the transformation’s parameterization, then hover over it. You’ll find a description of the transformation’s parameters and a link to our documentation.

Jscrambler Transformation Information

Select a Specific Order of Transformations

Jscrambler’s protections are polymorphic. This means that no protection is exactly the same as in previous transformations. This is guaranteed not only by randomizing the order by which transformations are applied but also by having random behaviors inside each transformation.

Selecting a specific order of transformations might be useful since some of Jscrambler’s transformations generate targets that will be used by other transformations. For example, the Number To String transformation will convert numbers to strings. These newly created strings will be protected by following transformations that are applied to strings. This is intended as it will increase the degree of protection.

This polymorphic behavior can, however, have a significant impact on the code's performance in cases where too many targets were created. For example, if all of the transformations that generate strings are applied before String Encoding, the resulting code's size will be much greater than normal.

To address this, you can either enable Jscrambler’s Recommended Order (a specially crafted order that keeps the code performant but also ensures a high degree of protection) or craft your own specific order.

The Recommended Order can be enabled in Jscrambler's Web Application by clicking on the lower cogwheel on the top right corner of your app and checking the box.

The Recommended Order can also be activated through the API by adding the following parameter:

"useRecommendedOrder": true


If you want to use a custom order, you can specify the areSubscribersOrdered option which will make the transformations selected to be applied in the order they appear.

// the dotToBracketNotation transformation
// will be applied after identifiersRenaming
"params": [
  {
    "name": "identifiersRenaming"
  },
  {
    "name": "dotToBracketNotation"
  }
],
"areSubscribersOrdered": true


Use Code Annotations

Jscrambler’s Code Annotations allow you to strategically place annotations in parts of your code that need to be better protected.

As an example, Jscrambler's Control Flow Flattening transformation is really powerful but its potency comes with a cost.

If you want to apply the transformation but only need it on a specific part of your code, you can remove it from your configuration (or selected parameters) and use it via code annotations. This way, the transformation will only be applied to that specific block.

function iDontNeedThisProtected (a) {
  return a + 1;
}
 
function iDontNeedThisEither (b) {
  return b + 2;
}
 
 
// @jscrambler enable controlFlowFlattening
function thisWillBeProtected (c) {
  if (c > 0) {
    return c + 1;
  } else {
    return c + 2;
  }
}


Alternatively, you can use Code Annotations to disable globally applied transformations in specific parts of the code.

Sidenote: If performance is a critical aspect of your app, you may also want to check our Profiling feature, which helps effortlessly optimize performance.

Reuse a Randomization Seed

One of Jscrambler's advanced features is the Randomization Seed. This is a specific string that you can supply to the protection process which will allow you to deterministically reproduce all of Jscrambler’s polymorphic behavior.

This feature is useful in cases where you want to reproduce a previous protection that might have better performance and benchmark it against the current version of your protected code.

This feature should not be used as a replacement for selecting a custom/recommended order of transformations and tuning the transformation’s parameterization.

Keep in mind that the output of protection will only be the exact same if you provide the same input and seed. If you perform changes on some files in your application and protect them, these files will be completely different. Only the ones that were unchanged will remain the same. This should be used for benchmarking/debugging, and not in production.

Conclusion

Fine-tuning your application’s protection can take its time.

However, with the combination of several of the features discussed in this article, we can achieve a balance between keeping the integrity and performance of your application while also presenting a very high degree of protection.

In case you'd like some personalized recommendations to address eventual performance issues, get in with our client-side protection experts.

Jscrambler

The leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.

View All Articles

Must read next

Cybersecurity

Can ChatGPT reverse engineer Jscrambler obfuscation?

As the potential of ChatGPT (and of Generative AI in general) is unveiled, experts and developers keep asking questions and experimenting with the tool. Can it crack even the strongest protections...

June 13, 2023 | By Jscrambler | 6 min read

Jscrambler

Celebrating 500K App Builds Protected with Jscrambler: Lessons Learned

This week marks 500,000 app builds protected with Jscrambler. So, we take the chance to share the lessons we learned about app security along the way.

May 5, 2020 | By Jscrambler | 5 min read

Section Divider