As HTML5 grows, security risks become a bigger issue

As HTML5 grows, security risks become a bigger issue Carlos currently works for JavaScript protection company, JScrambler. His experience ranges from the telecom sector to web security. He's into all things digital, the creative industries and travelling.


As the combination of JavaScript and HTML5 become the defacto software standard for building websites, enterprise-ready solutions or mobile applications, it’s surprising to discover that 99% of the code used and delivered as production-ready code is literally open, and running naked through the woods.

The W3C (World Wide Web Consortium), as of October 2014 officially approved HTML5 as a complete industry standard. But the adoption process started a long time ago. In 2010, Steve Jobs helped point the way when it announced that Apple would use HTML5 instead of Flash. Since then, HTML5 has grown considerably. Presently, around 30% of Fortune 500 companies already use HTML5. All other tech giants such as Facebook, Google, Microsoft and Netflix have already adopted HTML5.

HTML5 has a few things going for it, the first being cross-platform. VisionMobile’s latest survey to over 10,000 app developers found that 42% of mobile developers use HTML5 as a preferred platform. Mostly because designing apps in HTML5 makes them instantly simple to port to multiple platforms, such as PC, Mac, iPad, Android or delivered as web services, or SaaS applications on the cloud.

But that’s not the only thing that appeals to app developers. The other thing is JavaScript, the language that fuels HTML5 applications and whose popularity has been on the rise. This is confirmed by trend data retrieved from Github shows that JavaScript-backed projects are experiencing the highest growth (close to 500,000 repositories), followed by Java (400,000) and Ruby (275,000).

“It’s impossible getting a language to the point where JavaScript is today…hating JavaScript is like hating the Internet”, according to Mattias Petter Johansson from Spotify. JavaScript has established itself as one of the most popular Web development languages for building websites, transactional ecommerce shopping and banking portals and mobile applications for phones and tablets.

According to Gartner, by 2016, more than 50% of mobile apps will use HTML5. Given the fact that JavaScript and HTML5 will probably be dominant technologies within many if not all enterprises for the foreseeable future, other questions need to be addressed. Are there any threats for businesses and developers using them? The answer is yes. Are they protecting themselves against these threats? Unequivocally, no.

“An HTML5-based app is no different from a web-based application and the same security measures should apply to both,” Bogdan Botezatu, senior e-threat analyst for Bitdefender, said. This is especially important because cyber attacks that can now walk right through your digital front door might surely jeopardise operations, compromise customer data, personal privacy, or even matters of national security when simple and fast obfuscation and tamper-protection technology exist in the marketplace.

So why take the chance? Clearly there are expectations from management that what they invested in and paid for can and should be delivered to them not only bug-free and ready for production, but also be delivered in a final wrapper that would make it more challenging and difficult for others to copy, steal or tamper with, if not compromise your whole business via web-fraud, malware injection, data leakage or other such nefarious cyber attacks.

When the code is stored both on the client and server as ‘in the clear’ text files, the code is hosted on a shared server that others could easily gain access. Hence developers can easily lose control over who’s accessing the original source code – unless it’s obfuscated or more robustly protected once it’s released or signed off on as ready for production.

One of the main solutions increasingly adopted by developers and companies in various sectors is to use JavaScript obfuscation to scramble and protect the code, while assuring the copyrighted code is optimised and monitored for health which helps enforce licenses and repel attacks, fraud or theft of code, goods or services.

You could ask yourself if going native wouldn’t solve this issue altogether. The code of native applications is first compiled and then deployed to mobile devices. Thus, it’s naturally less exposed, right? Actually, this is a common misconception. Depending on the hacker goal, native code can be trivial to crack too. For instance, Android applications are developed in Java, which is quite easy to decompile from bytecode to something similar to the original source code. So even native code can benefit from obfuscation, prior to compilation. Being a compiled technology should not weight in your decision of going native or HTML5.

“Developers are using JavaScript to build extremely complex applications. As enterprises invest in migrating to HTML5, they will develop a need to back this investment with security enforcing, tamper-resistant features. Furthermore, companies who develop, use and offer to sell HTML5 and JavaScript applications will want to prevent others from stealing or compromising the code they invest significant time and money into.” said Rui Ribeiro, CEO of JScrambler, a company that develops full-stack JavaScript and HTML5 obfuscation and real-time tamper alert solutions.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *