Source Code Protection in Hybrid Mobile Apps

Hybrid mobile apps have become business assets. Perhaps you’ve heard the phrase “every company is an app company” before.

Mobile apps have effectively transformed whole industries like transportation, media, retail, and accommodation, making it extremely easy for consumers to engage with service providers and deliver a uniform experience wherever they are located.

This year alone, mobile banking app usage has doubled in the US, and we see a similar pattern worldwide. However, the strength of mobile can quickly become a weakness if companies don’t pay enough attention to their security risks.

Hybrid Mobile Apps, Security, and Trust

Trust is an essential component of any business. And while trust and security are often confused, they are interlinked; if security is compromised, it can quickly break down years of hard-earned trust.

Mobile apps face a tough scenario when it comes to security.

When companies release their apps unprotected into the wild, they are putting them at risk of attacks.

Through reverse engineering, attackers can analyze the whole app and find assets such as proprietary code or how personal data is stored.

Technical risk quickly becomes a business liability. For instance, the lack of compliance with data protection regulations such as GDPR and CCPA might create headaches for business owners.

Mobile security for mobile banking apps

Research by Verimatrix regarding the state of mobile security for mobile banking apps shows that 95% of banking apps aren’t taking the appropriate security steps.

This tendency spans different industries, such as video streaming and OTT. Mostly, the reason behind this is a lack of client-side security.

When we consider hybrid mobile apps, a growing type of app that is built mostly with JavaScript and frameworks like React Native, we must address the security concerns posed by unprotected source code, both JavaScript and native.

The Client-Side Security of Hybrid Mobile Applications

Attackers can attack every piece of client-side JavaScript.

Application packages for hybrid apps typically contain JavaScript files with the logic of the application in plain sight. And this logic often includes proprietary algorithms and allows attackers to plan and automate attacks like data exfiltration.

This liability has been explored in some of the most common security standards and frameworks.

The ISO 27001 standard, for instance, states that “program source code can be vulnerable to attack if not adequately protected and can provide an attacker with a good means to compromise systems in an often covert manner.”.

And OWASP advises that “the mobile app must be able to detect at runtime that code has been added or changed (…) The app must be able to react appropriately at runtime to a code integrity violation.”.

How can development teams ensure that their source code is protected?

The answer lies in source code protection, both JavaScript and native code, with a combination of obfuscation, environmental checks, and runtime defenses.

For more details on this, watch our webinar, where these protections are explored and demonstrated by Pedro Fortuna, CTO of Jscrambler, and Neal Michie, Director of Product Management at Verimatrix.