Obfuscation of code is a technique used to transform plain,
easy-to-read code into a new version that is deliberately hard
to understand and reverse-engineer—both for humans and machines.
Why obfuscate JavaScript code?
JavaScript has quickly grown into the language of the web.
It powers nearly every website in existence, and the rise
of cross-platform JavaScript frameworks like React Native
and Ionic allows developers to create mobile and desktop
apps using a shared JS codebase.
JavaScript is an interpreted language, so client-side JavaScript
requires an interpreter in the browser to read it, interpret it,
and run it. This also means that anyone can use a browser debugger
to easily go through the JS code and read or modify it at will.
With such easy access to client-side JavaScript code, it’s almost
effortless for an attacker to take advantage of this security weakness
and target any unprotected code.
Many companies are frequently storing important business logic on the
client side of their apps.
code secrets should always be kept on trusted execution environments
like the backend server but this is one of those cases where practice
takes precedence over theory. When companies store this important logic
on the client side, they typically do so because they can’t feasibly
keep it on the server side.
Why companies storing important business logic on the client side ?
1) A common reason for this is when there’s no backend in the first place,
as in the case of some mobile applications.
2) Another example is when there’s some code that’s related to the user
experience (like an analytics algorithm) that must run on the client
side.
3) The most common reason is performance. Server calls take time, and when
you have a service where performance is crucial—like a streaming
platform or an HTML5 game—storing all the JavaScript on the server
is not an option.
Companies don't want their competitors reverse-engineer the code and copy
proprietary algorithms.
Besides intellectual property theft, client-side JavaScript can also be
targeted in more sophisticated attacks such as automated abuse, piracy,
cheating, and data exfiltration.It can lead to reputational damages, and
loss of revenue too.
The risks of unprotected JavaScript code:
1) Threat actors reusing code or your proprietary algorithms within their
own apps.
2) Modification of your app to bypass premium or paid feature checks.
3) Distribution of clone apps on third-party app stores.
4) Repacking of your app with malware or trojans.
In order to prevent effective reverse engineering, you must use an obfuscation
tool.
Javascript Obfuscated code and Browsers:
With obfuscation, the browser can access, read, and interpret the
obfuscated JavaScript code just as easily as the original, un-obfuscated
code. And even though the obfuscated code looks completely different, it
will generate precisely the same output in the browser.
JavaScript obfuscation vs minification, optimization, and compression:
Minification:
Minification remove unnecessary characters in the code (whitespaces,
newlines, smaller identifiers, etc.), minimizing the size of the code—but
they don’t protect the source code.
Optimization:
Optimization improve code performance (speed and memory use of the app).
Sometimes they can also make the code harder to read, but this provides
no protection.
Compression:
Compression reduces the code size using encoding and packing techniques,
but they also don’t protect the source code.
The most common JavaScript obfuscation techniques are reordering, encoding,
splitting, renaming, and logic concealing techniques.
1) String Array Mapping
2) Dead code injection
3) Scope obfuscation
4) Control flow obfuscation
5) Recomputation of literals
6) Mangling
7) JSFuck
8) Arithmetic obfuscation
9) Name obfuscation
10) Split and concatenation of string
11) Anti debugging
Note: JSFuck is a way to convert JS code into esoteric style that resembles
the infamous Brainfuck programming language. false becomes ![],
true becomes !![] and so on.
Javascript Obfuscation Tools :
UglifyJS:
UglifyJS is a highly popular JavaScript toolkit that allows you to
compress, obfuscate, beautify, and format JavaScript code. With
UglifyJS, you can control the compression level and set obfuscation
options by adjusting the parameters.
JScrambler:
JScrambler is an advanced JavaScript tool used for obfuscating and
protecting JavaScript applications. It offers a wide range of features,
including string hiding, pointer obfuscation, code virtualization,
control flow transformation, and more. JScrambler provides effective
protection for web and mobile applications, including frameworks like
React, Angular, Vue, etc.
JavaScript Obfuscator:
JavaScript Obfuscator is another popular JavaScript obfuscation
library that compresses, obfuscates, and encrypts JavaScript code
while preserving its functionality. It provides various setting
options, making it easier for users to customize the obfuscation
process.
No comments:
Post a Comment