All sorts of companies are using JavaScript nowadays to build applications and websites. Most of them are unaware that at the same time their applications don't exactly run as designed, and are subject to tampering, hacking or crippling. This interference is most of the time intentional but can sometimes be accidental.
The security of JavaScript applications is a well-founded concern. In the last few years, several cases of pirated apps websites being closed down have been witnessed. Pirates attempt to reverse-engineer the apps and create clones. App stores often have screening lapses and modified copycats end up on App stores, competing with the legitimate versions. This reportedly happens on Apple's App Store, Google Play, Windows Store and Blackberry World.
This problem should get worse before it gets better. Mobile application sales are predicted to reach $77 billion by 2017. This will cause the problem of counterfeit or pirated apps to increase and it affects both developers, their brands and the users that download them. Who wouldn't like a piece of the $50,000 that Flappy Bird game was making out of in-app advertising and sales?
Web Application Tampering is also becoming increasingly prevalent. Attackers first try to control the device, by infecting it with malware or by tricking the user to install some browser plugin. They then tamper with the client-side directly by injecting malicious code. The goal is to capture and exfiltrate sensitive data as user credentials or credit card information, steal money, change the appearance of the app or trick the user into unwanted actions. The banking sector has been particularly affected with tens of millions of dollars stolen from users bank accounts.
But companies from all sectors (e-commerce, media, among others) are risking having their platforms changed and the experience of their users tampered with, with consequences to their business and reputation. Malware sometimes also install malicious ads that are shown when you visit specific websites. But tampering is not only performed by malware, and it's not always involuntary. Users are installing browser plugins to have price comparisons injected into e-commerce websites. It can get them better deals, but from those e-commerce websites' perspective, it's stealing a significant percentage of their customer web traffic.
JavaScript is the common denominator to all issues affecting the application's integrity. The reason why it is so easy to tamper with mobile and web applications is in part due to the nature of JavaScript language. It's a very dynamic language that allows one to easily add/inject code that interferes with the existing code of the application and make it do something else.
And it is here to stay. According to Gartner's Technical analyst Danny Brian, "JavaScript's prominence is a byproduct of the browser being ubiquitous, whether that's desktop, mobile or other platforms like native desktop applications using the browser wrapped up and deployed or built with HTML5". So, if we need to live with it, perhaps we can make it stronger and resilient to tampering.
Jscrambler, the Web Security startup with a focus on JavaScript Security, claims to have done just that. It launches its version 4 of their service today which takes it from a code security tool to a completely re-engineered platform that aims to make sure JavaScript-based applications are executed the way they were developed to be. Jscrambler gives companies the ability to transform their JavaScript apps so they are able to conceal the logic in the code. On top of that, it allows the possibility to add Code Traps - controls that are added to the code to enforce restrictions such as making the code only run in the right domain or in the right browser - and finally makes the Application self-defensive, a feature which makes the application defend itself from tampering and reverse-engineering attacks. With this new version, Jscrambler expects to offer a solution that takes the necessary protection to JavaScript. "Version 4 brings the product from a code protection solution to a platform that provides a tamper-proof environment to the application, making sure it is executed without interferences and by legitimate users only.", says Pedro Fortuna, CTO of Jscrambler.
According to the company, the new level of resilience comes from stopping attackers from automating attacks to the code by making Jscrambler's code transformations more polymorphic - which basically means the protection engine will produce very distinct obfuscated versions with each build - and by introducing new cutting-edge features to further conceal any sensitive logic and data contained in the code. As reported by Jscrambler, a switch to a more app-centric platform was also a goal for this version. They claim developers can now easily manage the protection of their apps within Jscrambler.
A new interface is able to provide almost instant preview of the resulting protected code as options are selected, making it easier to understand the individual effect of each applied transformation. "The choice of transformations and where they are applied has gotten also simpler and straightforward. You can pick each target you want to transform, be it strings, classes, functions and see the effects on your code in real-time. Easily creating your app, swiftly managing its different versions, effectively protecting it and deploying it - those were our goals and we guarantee security professionals and developers will enjoy the experience", concluded Pedro Fortuna.
Companies are still getting used to this Web and Mobile world where JavaScript is centered. Now that the code they write is shipped to all sorts of devices, it's safer to assume that the application integrity will be compromised. It's just a question of when, and for what reason.