The Integrity of your JavaScript Applications Is Being Compromised And You (Don’t) Know It
June 7th, 2016 | By Jscrambler | 4 min read
Many companies are unaware that their JavaScript applications don’t run as desired. Why is this happening?
The release of Jscrambler 4.0 last week was a success! Our new interface and features are up and running and available for anyone to try them on their JavaScript applications.
The release was also featured in the Huffington Post. We’re sharing the piece with you on our blog in case you’ve missed it.
The JavaScript Apps Integrity
“All sorts of companies are using JavaScript nowadays to build applications and websites. Most of them are unaware that at the same time, their applications don’t exactly run as designed, and are subject to tampering, hacking, or crippling. This interference is most of the time intentional but can sometimes be accidental.
The security of JavaScript applications is a well-founded concern. In the last few years, several cases of pirated app websites being closed down have been witnessed. Pirates attempt to reverse-engineer the apps and create clones. App stores often have screening lapses and modified copycats end up on App stores, competing with the legitimate versions. This reportedly happens on Apple’s App Store, Google Play, Windows Store, and Blackberry World.
This problem should get worse before it gets better. Mobile application sales are predicted to reach $77 billion by 2017. This will cause the problem of counterfeit or pirated apps to increase and it affects both developers, their brands, and the users that download them. Who wouldn’t like a piece of the $50,000 that Flappy Bird game was making out of in-app advertising and sales?
Web application tampering
Web Application Tampering is also becoming increasingly prevalent. Attackers first try to control the device, by infecting it with malware or by tricking the user to install some browser plugin. They then tamper with the client side directly by injecting malicious code. The goal is to capture and exfiltrate sensitive data such as user credentials or credit card information, steal money, change the appearance of the app, or trick the user into unwanted actions.
The banking sector and other industries
The banking sector has been particularly affected by tens of millions of dollars stolen from users' bank accounts. But companies from all sectors (e-commerce, media, among others) are risking having their platforms changed and the experience of their users tampered with, with consequences to their business and reputation.
Malware sometimes also installs malicious ads that are shown when you visit specific websites. But tampering is not only performed by malware, and it’s not always involuntary. Users are installing browser plugins to have price comparisons injected into e-commerce websites. It can get them better deals, but from those e-commerce websites’ perspective, it’s stealing a significant percentage of their customer web traffic.
JavaScript is the common denominator to all issues affecting the application’s integrity. The reason why it is so easy to tamper with mobile and web applications is in part due to the nature of JavaScript language. It’s a very dynamic language that allows one to easily add/inject code that interferes with the existing code of the application and makes it do something else.
JavaScript prominence
And it is here to stay. According to Gartner’s Technical analyst Danny Brian, “JavaScript’s prominence is a byproduct of the browser being ubiquitous, whether that’s desktop, mobile or other platforms like native desktop applications using the browser wrapped up and deployed or built with HTML5”. So, if we need to live with it, perhaps we can make it stronger and more resilient to tampering.
Jscrambler, the Web Security startup with a focus on JavaScript Security, claims to have done just that. It launches version 4 of its service today which takes it from a code security tool to a completely re-engineered platform that aims to make sure JavaScript-based applications are executed the way they were developed to be.
Jscrambler gives companies the ability to transform their JavaScript apps so they can conceal the logic in the code. On top of that, it allows the possibility to add Code Traps – controls that are added to the code to enforce restrictions such as making the code only run in the right domain or the right browser – and finally makes the Application self-defensive, a feature which makes the application defend itself from tampering and reverse-engineering attacks.
With this new version, Jscrambler expects to offer a solution that takes the necessary protection to JavaScript. “Version 4 brings the product from a code protection solution to a platform that provides a tamper-proof environment to the application, making sure it is executed without interferences and by legitimate users only.”, says Pedro Fortuna, CTO of Jscrambler.
According to the company, the new level of resilience comes from stopping attackers from automating attacks to the code by making Jscrambler’s code transformations more polymorphic – which means the protection engine will produce very distinct obfuscated versions with each build – and by introducing new cutting-edge features to further conceal any sensitive logic and data contained in the code. As reported by Jscrambler, a switch to a more app-centric platform was also a goal for this version.
They claim developers can now easily manage the protection of their apps within Jscrambler. A new interface can provide an almost instant preview of the resulting protected code as options are selected, making it easier to understand the individual effect of each applied transformation. “The choice of transformations and where they are applied has gotten also simpler and straightforward. You can pick each target you want to transform, be it strings, classes, or functions, and see the effects on your code in real-time. Easily creating your app, swiftly managing its different versions, effectively protecting it and deploying it – those were our goals and we guarantee security professionals and developers will enjoy the experience”, concluded Pedro Fortuna.
Companies are still getting used to this Web and Mobile world where JavaScript is centered. Now that the code they write is shipped to all sorts of devices, it’s safer to assume that the application integrity will be compromised. It’s just a question of when, and for what reason.”
This article was originally published in the Huffington Post.
Jscrambler
The leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.
View All ArticlesMust read next
8 Code Playgrounds to Test your JavaScript Applications and Skills
Code playgrounds can be a great solution either you want to test your JavaScript skills or make your application run safely. Check out some options you should have on your bookmarks.
August 14, 2017 | By Jscrambler | 5 min read
The Case for Multiple Layers of JavaScript Application Security
JavaScript is a very dynamic language that allows anyone to inject code that interferes with applications. Here's how you can prevent this from happening.
July 25, 2016 | By Amit Ashbel | 4 min read