Trust but verify - The Importance of Using a Trustworthy Obfuscation Service

JavaScript is everywhere, and protecting it may not be enough. It is mandatory to use a trustworthy obfuscation service. Trust, but verify, as free JavaScript obfuscator services may be unexpected sources of attack vectors.

GitHub highlights that JavaScript has the highest number of contributors and repositories, handily outpacing other alternatives such as PHP, Python, and Ruby.

Why is a Free Obfuscator not Always Free?

According to the Sucuri blog, a free JavaScript obfuscator embeds malicious code into the source code and obfuscates it afterward to conceal both the source code and the malicious payload.

The unsuspecting victim has no idea that the obfuscated code includes malicious logic and deploys it into the Wild Wild Web. A few days later, spam started popping up on the website. Only after some time and pulling some hair out does the victim start to connect the dots.

We already knew that obfuscation was being used to make malicious code more stealthy to antivirus software, but this is different. In this case, you’re obfuscating, packaging, and delivering the malware yourself.

The malware creator sets his trap and goes for a drink. Luckily, the malware wasn’t doing something more dangerous like stealing user data or authentication credentials, which is common in Man-in-the-Browser attacks. After discovering something was wrong, it wasn’t hard to reverse engineer the obfuscated code and find the embedded malicious code.

Responsibly-Sourced Security

How can we verify if the obfuscated code hides malicious logic?

Well, you will have to analyze the obfuscated code and the environment where it is running.

Also, avoid free services from non-trustworthy sources, and the risk of an attack like this is reduced almost to zero.

Are you willing to take the risk? There is the possibility of reverse-engineering the code before each deployment. However, this is not a desirable procedure, and most people have no idea where to begin. Even if someone has the know-how, the time that such a task could take would be better invested in coding the next feature of the application.

For those who care about protecting their Intellectual property and overall security, taking this risk is not an option. Going with a professional, trustworthy product is the best choice if you aim to obfuscate your code without any hassle or harm to your reputation.

Choices to enhance client-side security

This might make you think of a similar trust issue that is also related to JavaScript source code and the use of third-party CDNs. How can someone trust that resources uploaded from a third-party server contain only the expected logic?

There is a solution quite simple and elegant in the making called subresource Integrity.

If you have client-side JavaScript code worth protecting, check out the Jscrambler free trial or request a demo from our team of experts. Go beyond obfuscating source code or JavaScript obfuscation.