June 21, 2017

5 Steps to Fine-tune your Jscrambler Application

by Carlos Matias

5 Steps to Fine-tune your Jscrambler Application

At Jscrambler, we try the most to make our product easy and intuitive to use, but when you’re developing software which is required to be highly performant there might be a need for additional configuration.

In this article, we will go in depth in some features and strategies you can use to make your application as protected as possible while maintaining a high degree of your application’s original performance.

Be aware of the transformation’s potency and resilience

Jscrambler offers a different number of transformations with distinct levels of potency and resilience which are two metrics associated with obfuscation. In brief, potency translates how hard it is for a human to understand the code; resilience translates how difficult it is for a machine to defeat the protection applied. You can find more information about these metrics here.

Our documentation provides a rough value associated with the potency, resilience and cost each transformation has. Here's an example.

jscrambler-potency-resilience-and-cost-values

If you want to protect strings in your code, Jscrambler offers four distinct transformations, String Splitting, String Encoding, String Concealing and Char To Ternary Operator. These transformations have distinct levels of potency, resilience and cost, which means that, if you want to protect strings, choosing the most powerful one (String Concealing) should be enough to provide a high degree of protection and not impacting the cost too much, whereas selecting all possible transformations could bloat the code, impacting performance. If protecting strings is not one of the main concerns then opt for a less powerful transformation as it will provide a lesser degree of protection but will keep your code performant.

Step into Advanced Mode

Jscrambler offers two distinct ways of selecting the transformations which will be applied to the code: Basic and Advanced.

Whenever selecting a target in the Basic mode it will select all the transformations available for that target (you can step into the Advanced mode and check the mapping) and apply the default parameterization of the transformation. We’re currently working on improving this behavior so that the degree of protection is balanced out with the performance impact.

The Basic mode allows you to select which targets of your application you want to protect. By targets, we mean any of Javascript's building blocks (e.g., predicates, statements, booleans and numbers).

By going into the Advanced mode you are able to select each individual transformation and its parameterization. You should mix and match transformations and arrive at a degree of protection you deem fit.

If you have any questions regarding the transformation’s parameterization then hover over it. You’ll find a description of the transformation’s parameters and a link to our documentation.

Select a Specific Order of Transformations

Jscrambler’s protections are polymorphic, that is, no protection is exactly the same as previous transformations. This is guaranteed not only by randomizing the order of which transformations are applied with but also by having random behaviors inside each transformation.

Selecting a specific order of transformations might be useful since some of Jscrambler’s transformations generate targets which will be used by other transformations. For example, the Number To String transformation will convert numbers to strings. These newly created strings will be protected by following transformations which are applied onto strings. This is intended as it will increase the degree of protection.

This polymorphic behavior can, however, have a significant impact on the code's performance in cases where too many targets were created. For example, if all of the transformations which generate strings are applied before String Encoding the resulting code's size will be much greater than normal.

To address this, you can either enable Jscrambler’s Recommended Order, a specially crafted order which keeps the code performant but also ensures a high degree of protection, or craft your own specific order.

The Recommended Order can be enabled in Jscrambler's Web Application by clicking on the cogwheel on the top right corner of your app and checking the box.

The Recommended Order can also be activated through the API by adding the following parameter:

"useRecommendedOrder": true

If you want to use a custom order you can specify the areSubscribersOrdered option which will make the transformations selected to be applied in the order they appear.

// the dotToBracketNotation transformation
// will be applied after identifiersRenaming
"params": [
  {
    "name": "identifiersRenaming"
  },
  {
    "name": "dotToBracketNotation"
  }
],
"areSubscribersOrdered": true

Use Code Annotations

Jscrambler’s Code Annotations allow you to strategically place annotations in parts of your code that need to be better protected. Our Control Flow Flattening transformation is really powerful but its potency comes with a cost. So if you want to apply the transformation but only need it on a specific part of your code you can remove it from your configuration (or selected parameters) and use it via code annotations. This way the transformation will only be applied in that specific block.

function iDontNeedThisProtected (a) {  
  return a + 1;
}

function iDontNeedThisEither (b) {  
  return b + 2;
}


// @jscrambler enable controlFlowFlattening
function thisWillBeProtected (c) {  
  if (c > 0) {
    return c + 1;
  } else {
    return c + 2;
  }
}

You can find more information about Code Annotations in our documentation or in this blog post.

Reuse a Randomization Seed

One of our most recent features is the Randomization Seed. This is a specific string that you can supply to the protection process which will allow you to deterministically reproduce all of Jscrambler’s polymorphic behavior. This feature is useful in the case where you want to reproduce a previous protection that might have better performance and benchmark it against the current version of your protected code.

This feature should not be used as a replacement for selecting a custom/recommended order of transformations and tuning the transformation’s parameterization. Keep in mind that the output of a protection will only be the exact same if you provide the same input and seed. If you perform changes on some files in your application and protect them, these files will be completely different. Only the ones which were unchanged will remain the same. This should be used for benchmarking/debugging, and not in production.

You can find more information about the Randomization Seed in our documentation.

Conclusion

Fine-tuning your application’s protection can take its time but with the combination of several of the features discussed in this article, we can achieve a balance between keeping the integrity and performance of your application while also presenting a very high degree of protection.