On the last section on Platform Security, it mentioned a way to secure the source code in PhoneGap apps.

Reverse engineering is a concern of many people that use PhoneGap since one can simply open an application binary and look at the JavaScript source code of the application. One could even go so far as to add malicious JavaScript code, re-package the application and re-submit it to app stores / markets in an attempt at app phishing. This practice could be undertaken with any application whether it is written with PhoneGap or otherwise since it is a similarly simple task to depile either Java or Objective-C.

PhoneGap can actually get around this security concern since application developers can download JavaScript in their application at runtime, run that JavaScript, and delete it when the application closes. In that way, the source code is never on the device when the device is at rest. This is a much more difficult prospect with Java or Objective-C let alone the restrictions in the App Store around dynamically running Objective-C code.

However, I would like to know how can I prevent others to download my source code on server?

On the last section on Platform Security, it mentioned a way to secure the source code in PhoneGap apps.

Reverse engineering is a concern of many people that use PhoneGap since one can simply open an application binary and look at the JavaScript source code of the application. One could even go so far as to add malicious JavaScript code, re-package the application and re-submit it to app stores / markets in an attempt at app phishing. This practice could be undertaken with any application whether it is written with PhoneGap or otherwise since it is a similarly simple task to depile either Java or Objective-C.

PhoneGap can actually get around this security concern since application developers can download JavaScript in their application at runtime, run that JavaScript, and delete it when the application closes. In that way, the source code is never on the device when the device is at rest. This is a much more difficult prospect with Java or Objective-C let alone the restrictions in the App Store around dynamically running Objective-C code.

However, I would like to know how can I prevent others to download my source code on server?

• javascript
• security
• cordova
• obfuscation

• 1 This question is about obfuscating JavaScript applications, not phonegap in special. – Christian Kuetbach Commented Jul 28, 2013 at 21:05
• I'm interested in an answer to this question as well – Paul Commented Jul 28, 2013 at 22:04
• @ChristianKuetbach: I am not asking about obfuscating JS code. I am actually interested in how PhoneGap can secure my code by downloading my JS code at runtime. I want to know how to realize this methodology. – cwlaualex Commented Jul 29, 2013 at 14:46
• To download code at runtime is forbidden by a lot of AppStores (including apple app store). – Christian Kuetbach Commented Jul 29, 2013 at 18:26
• I have heard about that as well. I just want to make sure the methodology provided in PhoneGap documentation is not realistic or I have misunderstood its meaning. (The 2nd paragraph in my quote) – cwlaualex Commented Jul 30, 2013 at 18:02

3 Answers 3

I'd suggest annotating your code and then running it through Google's Closure Compiler, which will obfuscate it and perform certain optimizations. This will make it very difficult for people to read your code, but beyond that you're just going to have to live with the fact that JS is a client side language.

How about the following pattern:

1. Embed a bootstrap JavaScript with your app that does enables user/device authentication against your server. Do what you can to obfuscate the bootstrap code.
2. Keep the main logic of your app as JavaScripton on your server (can be accessed by authenticated users)
3. After authentication, download the main logic JavaScript at runtime, run that JavaScript, and delete it when the application closes

Continuous upgrading follows painlessly.

I would suggest:

• Obfuscate most/all of the JS code. Google's Closure Compiler is good option.

When App gets started:

• Have some hashcode stored on device which needs to be verified before making a call to server for dynamic data fetch
• During App startup, first push the App hashcode to server in order to verify the App authenticity and Server will check that hashcode in order to verify the legitimacy of the App
• Once Server has verified the App legitimacy then Server can send another hashcode or keep using the same one. Plus server can set custom cookie parameters too...it all depends on the architecture of the App & Server munication. So set whatever is best to your needs
• Once App legitimacy has been verified then all calls from device to server should contain the same hashcode or cookie and server will verify it first before answering to the call.

Rather then sending new js code , its better to push json dynamic data and keep the js code obfuscated on the device.