Skip to main content
Aug 22, 2017

“JavaScript: Perils & Opportunities” at Black Hat 2017

At Black Hat 2017, Aaron Lint, VP of Research, and Paul Dant, Senior Security Engineer, explained their philosophies on JavaScript security and discussed the problems and complications faced when deploying JavaScript apps in untrusted environments.

Paul believes that applications are in serious trouble if outside parties have access to source code or to binary that is unprotected against threats like reverse engineering and tampering. JavaScript is so easy to hack because it sends source code in plain text directly to the client, making it easy to analyze, intercept, and modify in transit, and the language is seen everywhere from the database and server level. The simplicity and ability to write abstract code in JavaScript makes it easier to develop, but also harder to maintain security.

Furthermore, Aaron is concerned that mobile app developers have too much faith in the platforms running their apps, when in reality it is easy to obtain a compromised device that will grant hackers control over an app and help them learn what APIs the app uses and how to access them. Hackers can use this information to extract, tamper with, and repackage the code. The language is quick to use and decreases development costs, which makes it attractive to companies, but it can also provide sensitive information to hackers. The code is relatively simple to reverse engineer, which makes it not very interesting to attack. Instead, hackers use JavaScript to gather information to find a more valuable attack. This information can include what forms of authentication are used, what APIs are being called to authenticate users and how they operate, and if there are any tokens or keys that can be extracted.

Even more dangerous, mobile devices using applications for healthcare and payments contain a lot of exploitable information, and many developers use obvious naming techniques in the code they write that make sensitive information easy to uncover. Paul believes that computer science education could be to blame for not teaching developers thoroughly about security. On the company level, most large organizations are pushed to have the fastest, first to market solution to each new advancement in technology, which influences them to set security concerns aside and/or to add it on later in order to release new applications or platforms.

Paul and Aaron agree that if security is an afterthought added onto the product, it’s way too easy to hack. Many products today have these basic flaws, and managers and developers should learn from their mistakes and learn to build in security from the beginning. Paul predicts that “in three years, binary-level analysis, especially on mobile platforms, is all anybody’s going to be talking about and thinking about in terms of solutions.” 



Arxan Author

More from the Blog
May 27, 2020

Application Security: Testing is NOT Enough

In the software development world, developers are faced with a breakneck release schedule and tasked to produce applications ...
Read more
Apr 16, 2020

The Next Step in the Arxan Journey

As many of you may have seen, we just announced that w
Read more
Feb 24, 2020

Android Cracks and App Hacks – What Is StrandHogg?

StrandHogg is a critical v
Read more