Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Aug 22, 2017 — Application Security expert

“JavaScript: Perils & Opportunities” at Black Hat 2017

Application Security

At Black Hat 2017, Aaron Lint, VP of Research, and Paul Dant, Senior Security Engineer, explained their philosophies on JavaScript security and discussed the problems and complications faced when deploying JavaScript apps in untrusted environments.

Paul believes that applications are in serious trouble if outside parties have access to source code or to binary that is unprotected against threats like reverse engineering and tampering. JavaScript is so easy to hack because it sends source code in plain text directly to the client, making it easy to analyze, intercept, and modify in transit, and the language is seen everywhere from the database and server level. The simplicity and ability to write abstract code in JavaScript makes it easier to develop, but also harder to maintain security.

Furthermore, Aaron is concerned that mobile app developers have too much faith in the platforms running their apps, when in reality it is easy to obtain a compromised device that will grant hackers control over an app and help them learn what APIs the app uses and how to access them. Hackers can use this information to extract, tamper with, and repackage the code. The language is quick to use and decreases development costs, which makes it attractive to companies, but it can also provide sensitive information to hackers. The code is relatively simple to reverse engineer, which makes it not very interesting to attack. Instead, hackers use JavaScript to gather information to find a more valuable attack. This information can include what forms of authentication are used, what APIs are being called to authenticate users and how they operate, and if there are any tokens or keys that can be extracted.

Even more dangerous, mobile devices using applications for healthcare and payments contain a lot of exploitable information, and many developers use obvious naming techniques in the code they write that make sensitive information easy to uncover. Paul believes that computer science education could be to blame for not teaching developers thoroughly about security. On the company level, most large organizations are pushed to have the fastest, first to market solution to each new advancement in technology, which influences them to set security concerns aside and/or to add it on later in order to release new applications or platforms.

Paul and Aaron agree that if security is an afterthought added onto the product, it’s way too easy to hack. Many products today have these basic flaws, and managers and developers should learn from their mistakes and learn to build in security from the beginning. Paul predicts that “in three years, binary-level analysis, especially on mobile platforms, is all anybody’s going to be talking about and thinking about in terms of solutions.” 


More from the Blog

View more
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Contact Us