The Importance Of Protecting Your App’s Source Code


By Rui Ribeiro, CEO and Co-founder, Jscrambler

If your business operations involve any type of web or mobile app, it’s likely that the source code of these apps represents a very important part of your company’s intellectual property. As a result of the ongoing digital transformation, these apps have often become key pieces of a company’s competitive advantage and thus a strategic business asset. It’s no wonder then that unwarranted access to this source code could put this competitive advantage at risk. However, this is just the tip of the iceberg, as unprotected source code can lead to critical security issues such as automated abuse, piracy, and data exfiltration.

When we take a look at the development scheme, we see that JavaScript, for instance, has grown immensely over the years, and now it powers around 97% of modern web applications. Every Fortune 500 company relies on this thriving open-source ecosystem with thousands of frameworks available that speed up the development process. But, despite the many benefits and business value associated with JavaScript, organizations need to consider the changes to their threat model when using JavaScript-based web and mobile applications. Especially when it comes to applications in sectors such as banking, healthcare, broadcasting, and e-commerce.

The tricky part about JavaScript is that it needs to be interpreted by a browser for it to work, therefore becoming exposed in a way that anyone can access, read, and change. And although the general recommendation is to keep sensitive code on trusted environments such as the backend, this is often infeasible due to the inherent performance issues. The result is that companies end up running proprietary algorithms and important business logic on the exposed client-side.

Regulations and standards such as NIST and ISO 27001 also mention the risks of unprotected source code, recommending that organizations put in place strict control procedures to keep them from experiencing the consequences of attacks to the source code.

Security Risks: Automated Abuse, Piracy and Data Exfiltration

As OWASP mentions, potential attackers can take advantage of the exposed code to modify the application’s data and resources, change the system APIs, or change the contents of memory dynamically. This way, they can hijack the intended use of the code for personal or monetary gain.

One of the hijacking routes attackers can take is relying on automated abuse attacks by exploiting the web application’s functionalities to gain access or privileges through the use of bots. Typically, these types of attacks need some sort of source code manipulation, which is possible when JavaScript is unprotected. The target for this type of attack is often cloud providers that offer free benefits in new accounts. Attackers will abuse the system to automate new trial account creation and use the benefits without ever having to pay for the services. Automated attacks are especially troublesome because they can target new versions of the code with minimal cost, which means that they can scale up and target more and more systems.

When it comes to piracy, attackers typically target the growing OTT industry, leaking premium content which naturally ends up causing a loss of revenue for legitimate businesses. Aware of the problem, providers are using multiple techniques to fight pirates and trace the leaked content, but they must ensure that attackers can’t easily bypass these techniques, namely by protecting their source code. Other examples of piracy are also commonly seen in the gaming and gambling industry where counterfeit apps pose a threat to the business integrity.

Now, one of the most important risks is Data Exfiltration which probably resonates with everyone who has had to submit data such as email, name, address, credit card number, or even medical information on a website using a form. Because the logic behind these forms is handled by JavaScript and all the sensitive data passes through the client-side, the safety of the data is potentially at risk. By leaving their JavaScript exposed, organizations make it easier for attackers to understand how their web applications work and facilitate the planning/ automation of data exfiltration or scraping attacks. This class of attacks is known for generating severe losses, both from the business standpoint and from the breach of compliance with data privacy regulations.

By leaving their source code exposed, organizations make it easier for attackers to understand how their web applications work and increase their attack surface. To secure their web and mobile applications, the best approach is to start securing them during the development stage.

This includes protecting the application’s source code with multiple layers, to ensure that any code sent to production can actively prevent tampering and reverse-engineering attempts. Plus, with the ongoing digital transformation showing no signs of slowing down, this approach can be crucial to ensure that companies’ intellectual property and user data are protected.

About the Author

CEO and Co-Founder of Jscrambler, Rui Ribeiro has led the company from bootstrapping to global expansion. Currently, he executes the company’s growth strategy and manages its vision and culture. With over 15 years of experience in IT, Rui has co-authored several application security patents and has extensive expertise in the financial sector, namely in international banking.

Our company website is https://jscrambler.com.



Source link