Protecting Your NativeScript Source Code with Jscrambler

Tested with NativeScript version 8.1.5.

NativeScript is an open-source framework for building truly native cross-platform mobile apps using JavaScript — which enables sharing and maintaining a single code base across Android and iOS deployments.

Jscrambler is officially recommended by Progress Telerik as the solution of choice to protect NativeScript applications.

In this article, we’ll look at how you can integrate Jscrambler into your NativeScript app development workflow. This will enable you to protect your JavaScript source code, through a combination of advanced obfuscation, code locks, anti-tampering, and anti-debugging.

Quoting the NativeScript team when looking at source code protected with Jscrambler:

Good luck figuring out what’s going on there. And even if you run this code through a beautifier or formatting tool, you’ll still have a heck of a time deciphering anything.

In order to properly integrate Jscrambler into your NativeScript build process, there are two things we need to do first: creating a NativeScript app and configuring Jscrambler. You must also make sure that you have properly set up your NativeScript environment.

If you are quite new to NativeScript, feel free to check our "Introduction to NativeScript" article before moving forward. Skipping right ahead, let's use the official "NativeScript Marketplace Demo" as an example:

git clone --depth 1 https://github.com/JscramblerBlog/nativescript-marketplace-demo.git

Now, let's install all app dependencies using npm:

cd nativescript-marketplace-demo

npm install

The (simplified) base project structure of our NativeScript application is as follows:

nativescript-marketplace-demo/

|-- firebase-database.json

|-- FIREBASE.ms

|-- firebase.nativescript.json

|-- package-lock.json

|-- package.json

|-- references.d.ts

|-- tsconfig.json

|-- tsconfig.tns.json

|-- webpack.config.js

|-- app/

|-- assets/

|-- hooks/

|-- node_modules/

|-- platforms/

| |-- android/

| | |-- app/

| | | |-- build/

• package.json contains all the configurations which are related to npm such as dependencies, version and scripts.

• The app directory features all the source code of the application. The sources are then built and packed into the platforms directory. This is where our protected HTML and JavaScript files will be placed after the build.
  
  

And this is pretty much it in terms of our NativeScript app. Let's move forward to protecting it with Jscrambler.

If you haven't created a Jscrambler account yet, be sure to do so before moving forward.

Next, install the Jscrambler webpack plugin.

npm i --save-dev jscrambler-webpack-plugin

After that, we need to set Jscrambler’s configuration. The quickest way to get a ready-to-use config file is via the Jscrambler Web App. After creating your account and finishing the Jscrambler demo, create a new app. Now, you can select a template in the Templates tab and/or pick individual transformations in the Fine-Tuning tab. In this tutorial, we'll be using the Obfuscation template. Now, we simply download the jscrambler.json file with this configuration (as shown below) and place it in our app’s root folder.

Your final jscrambler.json file should look like this:

{

  "keys": {

    "accessKey": “<YOUR ACCESS KEY HERE>",

    "secretKey": "<YOUR SECRET KEY HERE>"

  },

  "applicationId": "<YOUR APPLICATION ID HERE>",

  "params": [

    {

      "name": "objectPropertiesSparsing"

    },

    {

      "name": "variableMasking"

    },

    {

      "name": "whitespaceRemoval"

    },

    {

      "name": "identifiersRenaming",

      "options": {

        "mode": "SAFEST"

      }

    },

    {

      "name": "globalVariableIndirection"

    },

    {

      "name": "dotToBracketNotation"

    },

    {

      "name": "stringConcealing"

    },

    {

      "name": "functionReordering"

    },

    {

      "options": {

        "freq": 1,

        "features": [

          "opaqueFunctions"

        ]

      },

      "name": "functionOutlining"

    },

    {

      "name": "propertyKeysObfuscation",

      "options": {

        "encoding": [

          "hexadecimal"

        ]

      }

    },

    {

      "name": "regexObfuscation"

    },

    {

      "name": "booleanToAnything"

    }

  ],

  "areSubscribersOrdered": false,

  "useRecommendedOrder": true,

  "jscramblerVersion": "<7.x>",

  "tolerateMinification": true,

  "profilingDataMode": "off",

  "useAppClassification": true,

  "browsers": {}

}

NOTE: You may wish to use different transformations based on your use case. Feel free to check out our docs for more details on what each of these settings do.

With your configuration in place, your last step is to add Jscrambler’s webpack plugin in your webpack configuration. To do that, open the webpack.config.js file in the root of your app.

In this file, as recommended by NativeScript, start by adding webpack-chain so that you can change the configuration:

const webpack = require("@nativescript/webpack");



module.exports = (env) => {

    webpack.init(env);



    webpack.chainWebpack(config => {});



    return webpack.resolveConfig();

};

Then, import Jscrambler at the top of the config file:

const JscramblerWebpack = require("jscrambler-webpack-plugin");

const jscramblerConfig = require("./jscrambler.json");

Next, add the Jscrambler plugin configuration inside the chainWebpack arrow function:

// jscrambler plugin

config.plugin('JscramblerWebpack').use(JscramblerWebpack, [{

      ...jscramblerConfig,

      chunks: ['bundle'],

    }])

Finally, add some additional instructions inside chainWebpack so that Jscrambler only protects the webpack bundle that actually contains the app’s source code.

const originalSplitChunks = config.optimization.get('splitChunks');



// jscrambler plugin



config.optimization.splitChunks({

      ...originalSplitChunks,

      cacheGroups: {

        ...originalSplitChunks.cacheGroups,

        loader: {

          test: /[\\/]loader/,

          minSize: 1,

          priority: 10,

          chunks: 'initial',

          name: 'loader',

          reuseExistingChunk: false

        }

      }

})

Your final webpack.config.js file should look like this.

const webpack = require("@nativescript/webpack");

const JscramblerWebpack = require("jscrambler-webpack-plugin");

const jscramblerConfig = require("./jscrambler.json");



module.exports = (env) => {

	webpack.init(env);



	webpack.chainWebpack(config => {

        // jscrambler plugin

        config.plugin('JscramblerWebpack').use(JscramblerWebpack, [{

            ...jscramblerConfig,

            chunks: ['bundle'],

        }]);



        const originalSplitChunks = config.optimization.get('splitChunks');

        config.optimization.splitChunks({

            ...originalSplitChunks,

            cacheGroups: {

              ...originalSplitChunks.cacheGroups,

              loader: {

                test: /[\\/]loader/,

                minSize: 1,

                priority: 10,

                chunks: 'initial',

                name: 'loader',

                reuseExistingChunk: false

              }

            }

        })



   	 });



	return webpack.resolveConfig();

};

And with that, you are ready to protect your NativeScript app with Jscrambler.

To protect your app build using Jscrambler, all you have to do is run one of the npm scripts that build NativeScript apps with webpack enabled:

ns build ios 

or

ns build android 

After the build process completes, you’ll find the build APK file inside the platforms folder, specifically on platforms/<android|ios>/app/build/outputs/apk/debug. You can check the resulting code by extracting this APK file and navigating to assets/app, where you'll find the bundle.js file that was bundled through webpack and then protected by Jscrambler. This file should look like this:

As you saw, integrating Jscrambler with NativeScript is fairly simple thanks to the Jscrambler webpack plugin.

With the set of transformations we selected, we've successfully concealed the source code of our app with the most advanced obfuscation techniques available today. This will make it extremely hard for anyone to reverse engineer this code and, thanks to Jscrambler's Code Hardening feature, this protection is completely up-to-date and resilient against reverse engineering tools and techniques.

If you wish to increase the potency and resilience of your protected code further, you can use additional security layers such as Code Locks and Self-Defending. These will ensure that your code has anti-debugging and anti-tampering features.

As you know, Jscrambler comes with premium support, so be sure to contact us if you have any questions!