Application Security

Source Code Protection in Hybrid Mobile Apps

December 14th, 2020 | By Pedro Fortuna and Neal Michie | 2 min read

Hybrid mobile apps have become business assets. Perhaps you’ve heard the phrase “every company is an app company” before.

Mobile apps have effectively transformed whole industries like transportation, media, retail, and accommodation, making it extremely easy for consumers to engage with service providers and deliver a uniform experience wherever they are located.

This year alone, mobile banking app usage has doubled in the US, and we see a similar pattern worldwide. However, the strength of mobile can quickly become a weakness if companies don’t pay enough attention to their security risks.

Hybrid Mobile Apps, Security, and Trust

Trust is an essential component of any business. And while trust and security are often confused, they are interlinked; if security is compromised, it can quickly break down years of hard-earned trust.

Mobile apps face a tough scenario when it comes to security.

When companies release their apps unprotected into the wild, they are putting them at risk of attacks.

Through reverse engineering, attackers can analyze the whole app and find assets such as proprietary code or how personal data is stored.

Technical risk quickly becomes a business liability. For instance, the lack of compliance with data protection regulations such as GDPR and CCPA might create headaches for business owners.

Mobile security for mobile banking apps

Research by Verimatrix regarding the state of mobile security for mobile banking apps shows that 95% of banking apps aren’t taking the appropriate security steps.

This tendency spans different industries, such as video streaming and OTT. Mostly, the reason behind this is a lack of client-side security.

When we consider hybrid mobile apps, a growing type of app that is built mostly with JavaScript and frameworks like React Native, we must address the security concerns posed by unprotected source code, both JavaScript and native.

The Client-Side Security of Hybrid Mobile Applications

Attackers can attack every piece of client-side JavaScript.

Application packages for hybrid apps typically contain JavaScript files with the logic of the application in plain sight. And this logic often includes proprietary algorithms and allows attackers to plan and automate attacks like data exfiltration.

This liability has been explored in some of the most common security standards and frameworks.

The ISO 27001 standard, for instance, states that “program source code can be vulnerable to attack if not adequately protected and can provide an attacker with a good means to compromise systems in an often covert manner.”.

And OWASP advises that “the mobile app must be able to detect at runtime that code has been added or changed (…) The app must be able to react appropriately at runtime to a code integrity violation.”.

How can development teams ensure that their source code is protected?

The answer lies in source code protection, both JavaScript and native code, with a combination of obfuscation, environmental checks, and runtime defenses.

For more details on this, watch our webinar, where these protections are explored and demonstrated by Pedro Fortuna, CTO of Jscrambler, and Neal Michie, Director of Product Management at Verimatrix.


The leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.

View All Articles

Must read next

Web Security

Full-stack JavaScript Source Code Protection

With Node.js you can do Full-stack JavaScript Web Apps. JScrambler 3.6 introduces Node.js support and is now the first Full-stack JS Protection solution.

September 8, 2014 | By Pedro Fortuna | 4 min read

Web Security

Application Security in Banking

In this blog post, we are going to dive deeper into the security concerns associated with the use of JavaScript in banking applications.

May 10, 2022 | By Jscrambler | 3 min read

Section Divider

Subscribe to Our Newsletter