DEV Community

Cover image for Preventing Intellectual Property Theft with Jscrambler
Jscrambler for Jscrambler

Posted on • Originally published at blog.jscrambler.com

Preventing Intellectual Property Theft with Jscrambler

What is intellectual property theft?

Intellectual property theft (also called IP theft) refers to someone illegitimately taking possession of someone else’s proprietary inventions or developments. In the context of business, and specifically in IT, IP theft typically refers to a competitor or malicious actor getting access to trade secrets or proprietary algorithms to be used to the thief's own advantage.

The acceleration of digital transformation, which was exacerbated by the Covid pandemic, has stimulated the development of new technologies, consequently increasing the value of companies’ intellectual property.

This, of course, creates a huge opportunity for attackers and scammers. We have witnessed copycat apps going rampant in app stores and stealing business away from original developers, as well as fake Covid tracking apps mimicking official government apps and installing malware on the user’s device.

Looking at past attacks, it becomes clear that most intellectual property theft occurs in geographies with ambiguous IP laws, which makes enforcement extremely difficult. But even though tackling this problem is no easy task, prevention is considerably more beneficial for businesses than remediation.

Consequences of intellectual property theft

The Commission on the Theft of American Intellectual Property points out in their IP commission Report that IP theft ends up costing affected companies around $225 billion to $600 billion. While this figure will vary substantially from case to case and the indirect damages are extremely difficult to estimate, it’s simple enough to understand the potential damages in specific examples.

In the case of copycat applications, for instance, malicious actors typically steal the whole source code of the application and deploy it posing as a legitimate app. They may then monetize the application, taking advantage of the leniency that app stores are displaying, failing to crack down on copycats.

Here, there’s a direct impact on the affected business with the loss of revenue. The vast majority of users aren't able to differentiate between an original app and a copycat, and so while the app remains available on app stores (which can go on for months), the copycat app will be diverting sales. In some cases, the copycat app can also be used to distribute malware, jeopardizing the reputation of the company.

A second example of IP theft relates to a competitor wanting to retrieve a proprietary algorithm. In highly competitive sectors such as E-Commerce, companies invest heavily in specialized algorithms to improve their conversion rate. Competitors may go through the app’s source code to analyze the logic of these algorithms, allowing them to mimic their behavior and utilize it for their own gain. As a result, the company that originally developed the algorithm will lose a competitive advantage that could translate into millions of dollars in revenue.

How to prevent intellectual property theft with Jscrambler

In order to prevent intellectual property theft in web and mobile applications, businesses need to adopt adequate measures to secure their intellectual property (i.e. their source code). But how exactly can they secure it?

To make this easier to digest, let’s pick up our previous two examples: copycat applications and a competitor trying to retrieve a proprietary algorithm.

Tip: For a hands-on experience, feel free to try the code protection measures we will explore below on your own code by using a Jscrambler free trial.

Stopping copycat applications

In the case of copycat apps, as we saw, malicious actors will try to get access to the source code of the original application in order to copy it and benefit from it. So, to prevent that, businesses need to focus on adding strong protection to their source code to stop those malicious actors from ever being able to understand or replicate the code’s logic.

The answer to this is applying code obfuscation along with other code protection techniques that can be used to stop third parties from trying to reuse the code. This is actually a security recommendation by OWASP, precisely because of the underlying dangers of having exposed code.

So, the first step to stop copycats would be to conceal the code using JavaScript obfuscation, which includes a series of code transformations that turn the otherwise exposed code into a protected version that is extremely hard to understand and reverse-engineer. But to make the concealed code effectively safe from copycats, obfuscation alone isn't enough—an obfuscated app will run just like the original code, so copycats could just replicate that code. This is why simple obfuscation tools fail the purpose of actually making it hard for copycats to create app replicas.

Jscrambler provides copycat protection by applying additional strong code protection techniques on top of the obfuscation, namely Code Locks and the Self Defending layer.

Code Locks are especially useful against copycats because they provide control over the environment where the code is allowed to run. A date lock, for example, automatically “expires” the code after a certain time, meaning that copycats would have to continuously retrieve fresh batches of code to avoid having broken apps. A browser or domain lock, on the other hand, allow locking the original code to certain browsers or domains, which prevents the copycat from actually running.

In case the copycats attempt debugging the code to try and learn how the application works, Jscrambler’s Self-Defending feature protects functions and object literals—concealing their logic—and detects debuggers to trigger defenses that thwart reverse engineering attempts.

Stopping a competitor from retrieving a proprietary algorithm

When it comes to valuable proprietary algorithms, competitors may want to try and retrieve the source code that contains them to use it to their own advantage. To prevent that, as we saw in our previous example, we need to protect the source code.

Let’s take a look at the example code below. It’s an algorithm that recommends products based on the customer’s previous purchase history.

proprietary code

Now, if this were a proprietary algorithm, naturally, we would not want to leave that code exposed to our competitors. Simply by analyzing this code, they could potentially replicate the algorithm altogether. So, our first step would be to conceal all this logic with JavaScript obfuscation, taking advantage of Jscrambler’s several transformations.

control flow flattening

In the code snippet above, we can see the results of using Jscrambler’s Control Flow Flattening transformation. It flattens the flow of the program by removing the natural conditional constructs that make the code easier to read. As a result of this single transformation, the code is already extremely hard to understand and reverse-engineer.

However, applying a single transformation would not be enough to fully protect the code from competitors’ eyes. Specifically, the Control Flow Flattening transformation used above doesn’t change any of the names, numbers, or strings that are used in the original algorithm, as we can see below.

functions concealed

As such, with Jscrambler we can combine several different transformations, including string concealing and variable masking, to completely conceal all the logic of the source code and prevent competitors from being able to retrieve any useful information.

Continuing the previous example, after adding 11 different obfuscation transformations from Jscrambler, we get completely unreadable code that is extremely difficult to reverse-engineer, both by humans and reverse-engineering tools.

code transformations

But if you’re truly motivated about protecting your intellectual property and keeping your algorithms safe from prying eyes, you would still want to raise the bar even higher to stop reverse engineering attempts. By employing Jscrambler’s Self-Defending feature, your protected code will effectively mitigate any debugging or tampering attempt by triggering countermeasures at runtime, preventing dynamic code analysis. And since this is added on top of the potent obfuscation we saw before, it will also prevent static code analysis, leaving competitors completely locked out.

Finally, in case you’re only concerned about protecting specific algorithms throughout your source code, you can easily apply Jscrambler’s protection to these specific parts by using our Code Annotations feature.

Final Thoughts

As businesses become more digital, and as the competition grows, the need to stand out is often translated into innovative digital products. Naturally with innovation, and digital innovation specifically, we see Intellectual Property theft becoming more prevalent.

With that, come the consequences IP Theft brings to businesses, which shine a light on the fact that the cost of preventing it from ever unfolding is nowhere near the cost of trying to pick up the pieces afterwards.

So, to protect their innovative proprietary algorithms, companies must protect their source code with strong obfuscation transformations, code locks, and runtime protection. Jscrambler provides cutting-edge protection that, unlike simple obfuscation tools, is resilient to reverse-engineering both by humans and reverse engineering tools, ensuring that the code is kept away from prying eyes and can’t be redistributed.

Secure your JavaScript source code against theft and reverse-engineering, with a Jscrambler trial for free.

Top comments (1)

Collapse
 
jayjeckel profile image
Jay Jeckel • Edited

A second example of IP theft [...] Competitors may go through the app’s source code to analyze the logic of these algorithms, allowing them to mimic their behavior

That's not IP theft. No one owns the logic of an algorithm, just as no one owns the steps of a recipe.

And code obfuscation is, at best, an ethically questionable action, especially if that obfuscation adds nonsense like var N=2;for(;N !=== 9;) that does nothing other than waste the user's cpu cycles.

More over, if the project uses any open source code, then obfuscation is blatantly unethical. You shouldn't be using other people's code if you are so strongly against other people using your code.

The purpose of the internet is the free and open exchange of information. If you don't want your code freely and openly exchanged, then you shouldn't put it on the internet.