JavaScript obfuscation for application security: Threats, techniques, and tools

Because JavaScript is one of the most common programming languages, learning how to hide your JS code and the tools you can use to do that is important to keep your apps safe.

The rise and rise of JavaScript

JavaScript is arguably the world's most prominent programming language. This is what makes JavaScript obfuscation a vital component and key process of modern cybersecurity.

• JavaScript enjoys the status of a core technology of the world wide web.
• There are more repositories created in JavaScript than in any other language. It is the language with the most contributors in public and private repositories.
• According to studies by Statista, JavaScript is the most used programming language among developers and the most popular language to learn.
• The uses of JavaScript are many, including hybrid mobile apps, client and server-side web apps, cloud-based logic, and desktop apps.

JavaScript is distributed in source form and is therefore particularly easy to read and modify by would-be attackers. So, protecting JavaScript code has never been more important.

JavaScript obfuscation as a security challenge

JavaScript possesses several features that make it unlike compiled languages. It is uniquely vulnerable because it is distributed as source. However, the dynamic nature means that advanced obfuscation techniques can be applied.

JavaScript as a language

There are qualities to JavaScript as a programming language that make it easy for attackers to examine, modify, and exploit it.

• Accessibility: JavaScript is distributed to the source code and directly executed on the client side by the browser. There is no compilation step, because it isn’t compiled into a bytecode or binary and then distributed. This means the source code is always accessible and remains visible in the browser.
• Readability: Because it is source code, JavaScript doesn't require reverse engineering. It is possible to read it directly. JavaScript source code is easily understood and therefore easy to manipulate.
• Vulnerability: Since JavaScript code is directly visible to anyone who has access to a browser or app, potential hackers can easily use a debugger or decompiler to spot vulnerabilities and use them to their advantage.
• Policy: Companies need to plan protection around their use of JavaScript to secure valuable IP assets. It is a bad security policy for them to rely on JavaScript alone because it is easily manipulated and circumvented.

JavaScript and obfuscation

JavaScript is a dynamic language with dynamic execution. This means it determines and executes different operations at runtime, like rewriting code changes. These code modifications at runtime allow obfuscators to transform and mutate code in ways that make it harder to analyze. This is one of the reasons why the nature of JavaScript gives it an advantage in code obfuscation.

Vulnerabilities associated with JavaScript

The character of JavaScript code influences the attacks to which it is vulnerable and the obfuscation techniques that work best with it. Unprotected JavaScript is highly vulnerable to these kinds of cybersecurity threats:

• Cyber theft: Unobfuscated JavaScript exposes code that allows attackers to engage in data and identity theft, while competitors can steal code and IP.
  • Example: In 2024, the European Space Agency's official web shop was hacked as it started to load a piece of JavaScript code that generated a fake Stripe payment page at checkout, resulting in stolen payment card data.
• Supply chain attacks: These are attacks that damage an organised by targeting insecure links in their supply chain.
  • Example: In 2024, Solana SDK was compromised in a supply chain attack when a JavaScript client library was backdoored with malicious code, resulting in the theft of cryptographic keys and cryptocurrency wallets.
• Code injection attacks: Here, an attacker injects malicious or manipulative code into a program when it is running. Common JavaScript security problems in this area include cross-site vulnerabilities, like cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection (SQLi) attacks.
  • Example: In 2018, a hacker group exploited an XSS vulnerability in a JavaScript library used on a British Airways' checkout page, stealing thousands of credit card details.

Note: For OWASP Top 10 Mobile Risks, supply chain attacks are ranked at M2: Inadequate Supply Chain Security, while code injection attacks are mostly covered in M4: Insufficient Input/Output Validation.

Key code obfuscation techniques for JavaScript

Care is needed when selecting obfuscation methods. If not implemented, it could render your sensitive code vulnerable. If poorly implemented, it could negatively impact your site’s performance and prove easy to reverse. For best security, layer multiple obfuscation techniques together. And for best performance, employ different levels of obfuscation for different code parts, testing execution time in the process.

Renaming

If you can read the source code, you can understand what functions JavaScript is performing. Renaming classes, function names, and other variables makes their function less obvious and slows down analysis. This is why it is sometimes called variable renaming.

Renaming is often used by code optimisers to make code smaller. This has a useful obfuscation side-effect. However, it is always worth using a dedicated obfuscator for the following reasons:

• Renaming is only one obfuscation, and for a strong effect, you need to overlay multiple obfuscation techniques.
• The renaming algorithm is subtly different when targeting obfuscation. Typically the algorithm deliberately shadows and reuses symbol names so that it is difficult to determine the correct lifecycle of a symbol. An optimiser doesn't need to care about that and is usually just targeting the shortest names for maximum space saving.

Externals hiding

Having clear external references in a function clearly signposts it’s functionality. Externals hidings seeks to hide these so as to obscure the purpose of the function.

String encoding or string hiding

This hides ("encodes") the string literals in the code into an alternative encoding scheme from which little meaning can be inferred.

Operator removal

Operator removal replaces numerical, logical and conditional operators in the code with functions that perform the same operations. These function calls are then inserted in the place of the original operator thereby removing meaning from the code.

Integrity checking

These are random checks inserted into the control flow processing to prevent unauthorized modification. Detection of modified code leads to breaking the control flow of the application and a random crash, often presented as an out-of-memory error.

Examples of obfuscated JavaScript code

Let us talk about what obfuscated JavaScript looks like.

String encoding sample

In this example, string literals have been replaced by functions that reconstruct the strings.

Renaming sample

This is an example of what code configured by renaming might look like after symbol names have been replaced with meaningless identifiers.

These are a few simple examples. Realistically, several more obfuscation passes are typically applied for a more complete result.

Code obfuscation tools for JavaScript

We’ll look at some free code obfuscation tools for JavaScript and evaluate their worth against solutions that require purchasing.

Open source JavaScript obfuscation tools

obfuscator.io

obfuscation.io is a free, open source JavaScript obfuscator tool with a focus on transforming strings and identifiers. It also enables other transformations, such as control flow flattening and dead code injection, as well as some minification and beatification type options.

Terser

Terser is a free and open source minifier and mangler for JavaScript code that shrinks variable names, removes whitespace and comments, and drops unused code. It lacks control flow flattening, string encoding, or self-defending.

UglifyJS

UglifyJS is a free JavaScript parser, minifier, compressor and beautifier toolkit. It lacks lacks anti-debugging, control flow flattening, and string encoding options.

javascript-obfuscator GitHub

GutHib has a free, open-source, configurable obfuscator for JavaScript. GitHub also offers JStillery - a tool that uses partial evaluation to deobfuscate JavaScript code.

JS-Confuser

JS-Confuser is a free, open-source JavaScript obfuscator tool that makes programs impossible to understand, copy, re-use or modify without authorization.

Are free obfuscation tools worth it?

• It is true that free automated obfuscation tools make the process much easier and cheaper. That does not mean better or safer. Cost should not be be the only or main criteria for tool choice. Free or cheap may come at the cost of risk and results. Premium obfuscation tools are paid for and employed by industry leaders for a reason.
• It is often the case that free obfuscation tools tend to be quite limited. Their primary focus is on renaming and string encryption, but not much beyond. Quality obfuscation tools should have many layers to make the obfuscated code less penetrable with minimal impact on performance.
• There is a problem of potential malware with free tools. Some have found that malicious code is inserted in JavaScript by the free obfuscator. This malware can collect sensitive data, impact key processes, produce spam, trigger a malicious redirect, or launch a phishing attack.
• As well as cost, effectiveness, and safety, other important criteria for an obfuscation tool include ease of use and configurability.
• None of the free tools listed above appear to have any integrity controls, which is an essential step to protect JavaScript code from modification.

Buyer and user considerations for JavaScript obfuscation tools

There are some practical issues that deserve a mention when selecting and employing an obfuscation tool for JavaScript.

Sourcemap support

Sourcemaps are a debugging aid that map the obfuscated code back to the original source location. It is unlikely that open source tools will have sourcemap support. Instead, select a tool that can produce a sourcemap file for every obfuscated file to aid in the debugging of crash reports from obfuscated code.

On-premise hosting

Is the tool cloud-hosted or an on-premise solution? If the solution is fully on-premise, it can be easily integrated into CI/CD pipelines. But if the tool is only web-based, then code obfuscation may require manual intervention. Also, if the code is particularly sensitive, you may not want it to leave your premises until it's obfuscated. An on-premise tool means there there is no need to share the code offsite.

Hybrid protection

If you are developing a hybrid app – as opposed to a native one in Android or iOS – then employing an obfuscation solution to make vulnerable JavaScript code difficult to read and debug is a security must. Also, use a product on your hybrid mobile app containing JavaScript that automatically obfuscates it as part of the protection process.

What's next to secure your JavaScript code

Book at meeting with us today to talk about how we can help protect your mobile device from security threats. Whether your concern lies with JavaScript or elsewhere, we have a solution that fits your industry, your team, and your app.