Tabris.js 2.0 – Top 10 Features: Security

June 29, 2017 | 3 min Read

After over a year of development, Tabris.js 2.0 is almost here. To help celebrate this, the Tabris.js development team is counting down some of the features we’re most excited about.

Over the past year, I’ve had the opporuntity to focus on Tabris.js security related work such as certificate pinning, code signing, code obfuscation, and other security enhancements.

Certificate Pinning

When an SSL connection is first made, the server typically sends its certificate to the client. The client checks to ensure that the certificate is signed by an authority it trusts, and uses that to determine if it can trust the server. While this is typically safe, there have been exploits in the past where a false certificate were accepted, and the client ended up trusting an invalid host.

To mitigate this, most security experts advise the use of certificate pinning. With certificate pinning, the client stores the fingerprint of the certificate, and checks that the fingerprint matches before continuing with the secure communication. As an aside, this is how SSH works, and if someone tries to spoof the server, you’ll see this error.

For more information, checkout OWASP’s article about certificate pinning.

Tabris.js 2.0 now supports certificate pinning for XHR/Fetch, WebSockets, Image loading and App Patching. Use the app object and assigned a list of trusted certificates to the pinnedCertificates property.

const {app} = require('tabris');

app.pinnedCertificates = [{host: 'freegeoip.net', hash: 'sha256/+SVYjThgePRQxQ0e8bWTQDRtPYR/xBRufqyMoeaWteo=', algorithm: 'ECDSA256'}];

If an invalid certificate is used, any connection to the server (freegeoip.net in this case) will fail. Checkout out docs for more information on this API.

Enterprise Security Enhancements

In addition to certificate pinning, which is available directly in Tabris.js 2.0, we have also implemented several Tabris.js enterprise modules. Tabris.js has been used successfully to build high quality banking apps for Android and iOS. Due to the nature of these apps, a number of Tabris.js security add-ons have been developed. For example, certificate pinning is only effective if the fingerprint is secure. To enforce this, we have introduced Javascript code signing & fingerprint checking as well as Javascript code obfuscation & script encryption. These can be included as Tabris.js enterprise modules. We also have tools to protect against running Tabris.js apps on rooted phones and native re-packaging protection built right into our Javascript engine. Contact us for more information on how we can help you protect your mobile applications.

With an improved API, new widgets and more platforms, Tabris.js 2.0 will be the best Tabris.js release yet; and with the security features we’ve added, it will be the most secure. Make sure to check back next week as we continue our countdown, or follow us on Twitter.

Tabris.js 2.0 - Top 10 Features

The improved security is just one of the cool new additions to Tabris.js 2. Don’t forget to check out the other top 10 features in the rundown below.

  1. TypeScript & JSX
  2. Windows 10 Support
  3. File system access
  4. AlertDialog
  5. Binary fetch()
  6. Simplified event and properties API
  7. StatusBar and NavigationBar
  8. Tabris CLI
  9. Security
  10. NavigationView
Ian Bull

Ian Bull

Ian is an Eclipse committer and EclipseSource Distinguished Engineer with a passion for developer productivity.

He leads the J2V8 project and has served on several …