The Importance Of Protecting Your App’s Source Code

Why should you protect your app's source code?

If your business operations involve any type of web or mobile app, the source code of these apps likely represents an important part of your company’s intellectual property.

These apps are key pieces of a company’s competitive advantage and strategic business assets. Unwarranted access to this source code could put this competitive advantage at risk. However, this is only the tip of the iceberg.

Unprotected source code can lead to critical security issues such as automated abuse, piracy, and data exfiltration.

Every Fortune 500 company relies on JavaScript, a thriving open-source ecosystem with thousands of frameworks available that speed up the development process.

Despite the many benefits and business value associated with JavaScript, organizations need to consider the changes to their threat model when using JavaScript-based web and mobile applications. Especially regarding applications in sectors such as banking, healthcare, broadcasting, and e-commerce.

A browser must interpret JavaScript for it to work. Therefore, it becomes exposed in a way that anyone can access, read, and change.

Although the recommendation is to keep sensitive code on trusted environments such as the backend, this is often infeasible due to inherent performance issues. Companies end up running proprietary algorithms and important business logic on the exposed client-side.

Regulations and standards such as NIST and ISO 27001 mention the risks of unprotected source code, recommending that organizations put in place strict control procedures to keep them from experiencing the consequences of attacks on the source code.

Security Risks: Automated Abuse, Piracy, and Data Exfiltration

As OWASP mentions, potential attackers can take advantage of the exposed code to modify the application’s data and resources, change the system APIs, or change the contents of memory dynamically. This way, they can hijack the intended use of the code for personal or monetary gain.

One of the hijacking routes attackers can take is relying on automated abuse attacks by exploiting the web application’s functionalities to gain access or privileges through the use of bots.

These types of attacks need some source code manipulation, which is possible when JavaScript is unprotected.

The target for this type of attack is often cloud providers that offer free benefits with new accounts. Attackers will abuse the system to automate the creation of new trial accounts and use the benefits without ever having to pay for the services.

Automated attacks are troublesome because they can target new versions of the code with minimal cost, which means that they can scale up and target more and more systems.

Piracy and the OTT Industry

When it comes to piracy, attackers typically target the growing OTT industry, leaking premium content that naturally ends up causing a loss of revenue for legitimate businesses.

Aware of the problem, providers are using multiple techniques to fight pirates and trace the leaked content, but they must ensure that attackers can’t easily bypass these techniques, namely by protecting their source code.

Other examples of piracy are also commonly seen in the gaming and gambling industries, where counterfeit apps pose a threat to business integrity.

Data Exfiltration

One of the risks is data exfiltration, which probably resonates with everyone who has had to submit data such as email, name, address, credit card number, or even medical information on a website using a form.

JavaScript is the logic behind these forms. Thus, all the sensitive data passes through the client side. So the safety of the data is potentially at risk.

By leaving their JavaScript exposed, organizations make it easier for attackers to understand how their web applications work and facilitate the planning and automation of data exfiltration or scraping attacks.

This class of attacks is known for generating severe losses from a business standpoint and for breaching compliance with data privacy regulations.

When the source code is exposed, organizations make it easier for attackers to understand how their web applications work and increase their attack surface.

Secure your web and mobile applications

Secure your web and mobile applications. Start securing them during the development stage.

This includes protecting the application’s source code with multiple layers to ensure any code sent to production can prevent tampering and reverse-engineering attempts.

Plus, with the ongoing digital transformation showing no signs of slowing down, this approach can be crucial to ensuring that companies’ intellectual property and user data are protected.

Originally published in Cyber Defense Magazine.