What is In-App Protection & Obfuscation and how does it apply to JavaScript?

Unlike languages like .NET and Java that are compiled to intermediate, stack-based assembly instructions before being distributed in binary form, JavaScript apps are typically distributed in source form. This means that your code is directly visible to anyone with access to the execution environment (like a browser). So, potential attackers can very easily step through the running code using a debugger built into their browser, or use other tools to statically analyze the code for vulnerabilities.


Does this matter? Well the answer is... it depends.

  • Does the JavaScript contain code you don't want competitors to copy or clone?
  • Is there a reason a hacker might want to circumvent some of your checks or actively look for vulnerabilities?
  • Is there risk of harm or reputation damage if the code is modified in a nefarious way? (e.g. to serve malware, or to enable phishing, etc.)

If the answer is “yes” to any of these questions, then consider obfuscating and protecting your JavaScript code.

Why should I obfuscate and protect my JavaScript Apps?

  • To reduce the code size (minification aspect of obfuscation)
  • To make it more difficult for a hacker to reverse engineer your code
  • To hide business logic and unique algorithms
  • To make it more difficult for a hacker to debug your application and look for vulnerabilities
  • To make it more difficult for an attacker to exploit those vulnerabilities, once found
  • To make it more difficult for an attacker to modify or steal your code

JSDefender: In-app JavaScript Protection

JSDefender™ secures your JavaScript apps against tampering, misuse and data theft using sophisticated obfuscation and active protection techniques.

Some example transforms include:

Transform Description
DomainLock Allows binding the code to a specific domain (or its subdomains). When the code running in the browser originates from a non-matching domain, it breaks with an error.
BooleanLiterals Transforms the false and true literals to other expressions that result in the same false and true values, respectively.
IntegerLiterals Transforms integer literals to other (less obvious) expressions that result in the same value when evaluated. It can also transform all integer literals to a specific radix (binary, decimal, hexadecimal, or octal).
PropertyIndirection Transforms direct property access to indirect property access.
StringLiterals Extracts string literals into variables and initializes those variables from encoded string literals. Replaces the original string with the corresponding variables.
LocalDeclaration Mangles the names of local declarations.
DebuggerRemoval Removes information from production code that can help hackers inspect your code.
ControlFlow Flattening Obfuscates the program's control flow by adding opaque predicates or dead code and flattening the control flow.

What does protected & obfuscated JavaScript look like:

BEFORE


BankABC.fundingSources.create('1xM821zkPUob1dmeNfhJedI1h5JkFRoC3Ja9Y8SLXp0EStArMT', {
  routingNumber: getVal('routingNumber'), accountNumber: getVal('accountNumber'), type: getVal('type'), name: getVal('name')
}, function(err, res) {
  console.log('Error: ' + JSON.stringify(err) + ' -- Response: ' + JSON.stringify(res));
});
customer_url = 'https://api-sandbox. BankABC.com/customers/AB993D36-3757-69C1-C3B4-29727FB3111C'
customer = app_token.post("#{customer_url}/funding-sources-token")
$('form').on('submit', function() {
  BankABC.configure('sandbox');
  var token = ’X9Bv3NuSrML7Ke1mcGmCT0EpwW34GSmDaYP09UfCpeWde46Jug’;
  var bankInfo = { routingNumber: $('routingNumber').val(), accountNumber: $('accountNumber').val(), type: $('type').val(), name: $('name').val()  }
  BankABC.fundingSources.create(token, bankInfo, callback);
  return false;
});
function callback(err, res) {
  var $div = $('
'); var logValue = { error: err, response: res }; $div.text(JSON.stringify(logValue)); console.log(logValue); $('#logs').append($div); }

AFTER


var Acjgb$1=Ezchb("uf}wz}t@|fapv");var cemgb$1=Ezchb("pavrgv");var wZcgb$1=Ezchb('\x22k^+!\x22ixCF|q\x22w~v]u{YvwZ\x22{&YxUA|P Yr*J+@_Kc#V@gRa^G');var Yaggb$1=Ezchb('a|fgz}t]f~qva');var sWWfb=Ezchb('rpp|f}g]f~qva');var UXZfb=Ezchb('gjcv');var oTQfb=Ezchb('}r~v');var QUTfb=Ezchb("\x7F|t");var QoHgb=Ezchb('Vaa|a)3');var sqKgb=Ezchb("`gaz}tzuj");var MlBgb=Ezchb('3>>3Av`c|}`v)3');var onEgb=Ezchb("`gaz}tzuj");var Iivgb=Ezchb('{ggc`)<`r}wq|k=3Qr}xRQP=p|~ $&$>%*P\x22>P Q\x27>!*$!$UQ \x22\x22\x22P');var kkygb=Ezchb("c|`g");var Efpgb=Ezchb("0hpf`g|~vaLfa\x7Fn`|fapv`>g|xv}");var ghsgb=Ezchb('u|a~');var gBfhb=Ezchb("|}");var ICihb=Ezchb('fq~zg');var cyZgb=Ezchb("p|}uztfav");function Ezchb(cWXdb){var EXaeb="";for(var ErOeb=0;ErOebcWXdb.length;ErOeb++){EXaeb+=String.fromCharCode(cWXdb.charCodeAt(ErOeb)^0x13);}return EXaeb;}var YuTgb=Ezchb('`r}wq|k');var AwWgb=Ezchb('a|fgz}t]f~qva');var UrNgb=Ezchb("er\x7F");var wtQgb=Ezchb('rpp|f}g]f~qva');var wNDhb=Ezchb("er\x7F");var YOGhb=Ezchb('gjcv');var sKxhb=Ezchb("er\x7F");var ULAhb=Ezchb('}r~v');var oHrhb=Ezchb("er\x7F");var QIuhb=Ezchb("uf}wz}t@|fapv`");var kElhb=Ezchb("pavrgv");var MFohb=Ezchb('wze3<-');var ofqeb=Ezchb("gvkg");var Qgteb=Ezchb("`gaz}tzuj");var kckeb=Ezchb("\x7F|t");var Mdneb=Ezchb('0\x7F|t`');var gZdeb=Ezchb("rccv}w");BankABC[Acjgb$1][cemgb$1](wZcgb$1,{routingNumber:getVal(Yaggb$1),accountNumber:getVal(sWWfb),type:getVal(UXZfb),name:getVal(oTQfb)},function(gtReb,AoIeb){console[QUTfb](QoHgb+JSON[sqKgb](gtReb)+MlBgb+JSON[onEgb](AoIeb));});customer_url=Iivgb;customer=app_token[kkygb](Efpgb);$(ghsgb)[gBfhb](ICihb,function(){BankABC[cyZgb](YuTgb);var cqLeb=X9Bv3NuSrML7Ke1mcGmCT0EpwW34GSmDaYP09UfCpeWde46Jug;var wlCeb={routingNumber:$(AwWgb)[UrNgb](),accountNumber:$(wtQgb)[wNDhb](),type:$(YOGhb)[sKxhb](),name:$(ULAhb)[oHrhb]()};BankABC[QIuhb][kElhb](cqLeb,wlCeb,Iaheb);return (NaN===NaN);});function Iaheb(YmFeb,siweb){var Ujzeb=$(MFohb);var UDmfb={error:YmFeb,response:siweb};Ujzeb[ofqeb](JSON[Qgteb](UDmfb));console[kckeb](UDmfb);$(Mdneb)[gZdeb](Ujzeb);}

How is PreEmptive Protection for JavaScript better than other solutions?

  • We don't require you to send your unprotected code to us. We would not send our own unprotected code to a remote service and we would not expect you to either.
  • Unlike some of the open source tools we've tested, our products have a high level of quality and first rate support


Be sure your software security and protection plans don't overlook the client side. Protect against the risks of vulnerability discovery, license violations, code theft, information leakage...
To get a free trial of the preview edition of PreEmptive Protection for JavaScript, please fill out the information below, and we will get back to you very soon.

Try it Now!