December 14, 2020

Source Code Protection in Hybrid Mobile Apps

By Pedro Fortuna and Neal Michie | 2 min read

Source Code Protection in Hybrid Mobile Apps

Perhaps you’ve heard the phrase “every company is an app company” before. Mobile apps have effectively transformed whole industries like transportation, media, retail, and accommodation.

Mobile apps make it extremely easy for consumers to engage with service providers and deliver a uniform experience wherever they are located.

This year alone, mobile banking app usage has doubled in the US and we see a similar pattern all around the world. But the strength of mobile can quickly become a weakness if companies don’t pay enough attention to their security risks.

Trust is an essential component of any business. And while trust and security are often confused, they are interlinked – if security is compromised, it can quickly break down years of hard-earned trust.

Mobile apps face a tough scenario when it comes to security. When companies release their apps unprotected into the wild, they are putting them at risk of serious attacks. Through reverse engineering, attackers can analyze the whole app and find important assets such as proprietary code or how personal data is stored. So, this technical risk quickly becomes a key business liability – for instance, lack of compliance with data protection regulations such as GDPR and CCPA.

Research by Verimatrix shows that 95% of banking apps aren’t taking the appropriate security steps, and this tendency spans different industries such as video streaming and OTT. Mostly, the reason behind this is a lack of client-side security.

When we consider hybrid mobile apps – a growing type of apps that are built mostly with JavaScript and frameworks like React Native – we must address the security concerns posed by unprotected source code, both JavaScript and native.

Every piece of client-side JavaScript can be easily targeted by attackers. Application packages of hybrid apps typically contain the JavaScript files with the logic of the application in plain sight. And this logic often includes proprietary algorithms and allows attackers to plan and automate attacks like data exfiltration.

This liability has been explored in some of the most common security standards and frameworks. The ISO 27001 standard, for instance, states that “Program source code can be vulnerable to attack if not adequately protected and can provide an attacker with a good means to compromise systems in an often covert manner.” And OWASP also advises that “The mobile app must be able to detect at runtime that code has been added or changed (…) The app must be able to react appropriately at runtime to a code integrity violation.”

So how can development teams ensure that their source code is protected? The answer lies in source code protection, both JavaScript and native code, with a combination of obfuscation, environmental checks, and runtime defenses.

For more details on this, join our upcoming webinar where these protections will be explored and demonstrated in-depth by Pedro Fortuna, CTO of Jscrambler, and Neal Michie, Director of Product Management at Verimatrix.

Register for free here.

Pedro Fortuna and Neal MichiePedro Fortuna is the CTO and Co-Founder of Jscrambler. Neal Michie is the Director of Product Management of Verimatrix.
View All Posts

Subscribe to our weekly newsletter

Learn more about new security threats and technologies.

I agree to receive these emails and accept the Privacy Policy.