September 14, 2019

Obfuscating JavaScript code with DexGuard and iXGuard

Written by: Guardsquare

Both DexGuard and iXGuard now come with a fully-featured JavaScript obfuscator that protects and hardens JavaScript code in Android and iOS apps. They handle all code from individual JavaScript files to full-blown cross-platform applications built with Cordova, Ionic or React Native.

There are several popular and mature JavaScript frameworks (Cordova, Ionic, React Native) for mobile app development. An increasing number of mobile applications running on Android and iOS devices are not only written in Java, Kotlin (Android) or Objective-C and Swift (iOS), but also in JavaScript. With the addition of the built-in JavaScript obfuscator in DexGuard
(as of version 8.4) and in iXGuard (as of version 3.2), the entire code base of these hybrid apps can be protected against reverse engineering and hacker attacks without relying on a separate tool for obfuscating the JavaScript code.

JavaScript hardening techniques

DexGuard and iXGuard provide a full range of protection features for JavaScript. As with Java, Kotlin, Objective-C or Swift code, it is crucial to take a multi-layered approach to mobile security. Below are some of the most important techniques DexGuard and iXGuard apply.

Name obfuscation makes the code significantly more difficult to analyze by renaming variables, functions and properties in your JavaScript code to randomized, meaningless names.

Original program:

function surfaceArea(cuboid) {
    return (cuboid.width * cuboid.height +
            cuboid.width * cuboid.depth +
            cuboid.depth * cuboid.height) * 2;
}

var box = {
  width: 20,
  height: 5,
  depth: 8
};

var box_surface_area = surfaceArea(box);

Processed program:

function a(d) {
    return (d.a * d.b +
            d.a * d.c +
            d.c * d.b) * 2;
}

var b = {
  a: 20,
  b: 5,
  c: 8
};

var c = a(b);

With string encryption, sensitive strings (such as API keys) are hidden and replaced with an encrypted representation of the string. The encrypted strings are decrypted at runtime using decryption functions that are generated by the JavaScript obfuscator and scattered throughout the code.

Original program:

var x = "Hello, world!";

Processed program:

var x = a("&h5@jkl;iud12");

Property access obfuscation makes the code more resilient against automatic refactoring tools (such as Beautify, Prettify, etc). This obfuscation transforms property accessors from dot notation to square bracket notation. When combined with string encryption, it hides the name of the property entirely.

Original program:

var car = {
  driver: "John",
};

alert(car.driver);

Processed program:

var car = {
  driver: "John",
};

alert(car["driver"]);

Processed program (with encryption):

var car = {
  driver: "John",
};

alert(car[a("qs1&@52d")]);

The protection techniques above are just a small part of what both DexGuard and iXGuard can do when used on a JavaScript-based app. Other features include:

Arithmetic obfuscation: transforms numeric values and expressions into more complex expressions that are harder to decipher.
Control flow obfuscation: adds additional branches to the code to better protect it against manual code analysis.
Debugger obstruction: makes program code more difficult to execute when a debugger is active.
Shuffling: changes the order of function declarations, making it more difficult to see the dependencies between different parts of the program.
Shrinking*: reduces the overall program size by removing code that is not being referenced from other active code.
*coming soon for iOS applications