PhoneGap source security

Question

On the last section on Platform Security, it mentioned a way to secure the source code in PhoneGap apps.

Reverse engineering is a concern of many people that use PhoneGap since one can simply open an application binary and look at the JavaScript source code of the application. One could even go so far as to add malicious JavaScript code, re-package the application and re-submit it to app stores / markets in an attempt at app phishing. This practice could be undertaken with any application whether it is written with PhoneGap or otherwise since it is a similarly simple task to decompile either Java or Objective-C.

PhoneGap can actually get around this security concern since application developers can download JavaScript in their application at runtime, run that JavaScript, and delete it when the application closes. In that way, the source code is never on the device when the device is at rest. This is a much more difficult prospect with Java or Objective-C let alone the restrictions in the App Store around dynamically running Objective-C code.

However, I would like to know how can I prevent others to download my source code on server?

Answer 1

I'd suggest annotating your code and then running it through Google's Closure Compiler, which will obfuscate it and perform certain optimizations. This will make it very difficult for people to read your code, but beyond that you're just going to have to live with the fact that JS is a client side language.

Answer 2

How about the following pattern:

1. Embed a bootstrap JavaScript with your app that does enables user/device authentication against your server. Do what you can to obfuscate the bootstrap code.
2. Keep the main logic of your app as JavaScripton on your server (can be accessed by authenticated users)
3. After authentication, download the main logic JavaScript at runtime, run that JavaScript, and delete it when the application closes

Continuous upgrading follows painlessly.

Answer 3

I would suggest:

• Obfuscate most/all of the JS code. Google's Closure Compiler is good option.

When App gets started:

• Have some hashcode stored on device which needs to be verified before making a call to server for dynamic data fetch
• During App startup, first push the App hashcode to server in order to verify the App authenticity and Server will check that hashcode in order to verify the legitimacy of the App
• Once Server has verified the App legitimacy then Server can send another hashcode or keep using the same one. Plus server can set custom cookie parameters too...it all depends on the architecture of the App & Server communication. So set whatever is best to your needs
• Once App legitimacy has been verified then all calls from device to server should contain the same hashcode or cookie and server will verify it first before answering to the call.

Rather then sending new js code , its better to push json dynamic data and keep the js code obfuscated on the device.