How to protect freemium HTML5 from variable modification?

Question

Some people have asked similar questions about protecting HTML5 apps and protecting freemium apps, but not both together. I'm asking this separately because I have the impression (whether right or wrong) that HTML5 is particularly insecure vs native.

I'm working on an embedded HTML5 app I want to monetize using the freemium model, but I'm worried about how to keep its virtual currency and scoring variables from being too easily messed with by the end user, as I fear this could negatively impact revenue if some hacker (no offense intended by the term) were to create a YouTube video or blog posting about an exploit. I think it is pretty unlikely early on for this to happen, but I think vulnerability will matter more with popularity. I'm also worried about with which someone can copy an app.

I though realize both are possible inherently with an app installed on the device.

My questions are:

1. How easy is it, in your opinion or experience, to mess with an unobfuscated embedded (not browser dependent) HTML5 app and its Javascript vs a native app with core files based on Java or Objective-C data?/How well does obfuscation work on HTML5 apps vs native obfuscated apps in terms of data protection?
2. How difficult is it to obfuscate an HTML5 app vs using something like Proguard on regular Android apps?
3. Does obfuscation cause HTML5 to noticeably slow down for normal users?
4. Lastly, do you think it's practical to have an HTML5 app with freemium features? Or do you personally think it is too vulnerable?

What I'm basically trying to figure out with them is whether HTML5 is particularly vulnerable or hard to protect, at least when compared to protecting native apps. If an obfuscated HTML5 app is as secure or insecure as a regular app, then I guess I'm okay with it.

Answer 1

The only way to prevent cheating (and unlocking freemium items is a kind of cheating) is to move all the relevant game logic to the server. Forget about obfuscation. When it's executed on the clients machine, it's under the control of the user. Obfuscation can slow the user down, but it can't stop someone who is determined to hack it. This doesn't just apply to javascript, it applies to every game client, no matter what programming language it is written in.

A general rule of designing cheat-proof multiplayer games is to never trust the client and do all calculations which are relevant for gameplay on the server.

Answer 2

In my opinion it is better to obfuscate AND never trust the client. Not only that, I would even compress the obfuscated code and I would add an obfuscated decompressor in the client and/or the server. The technique is viable and it is what professional companies are using all over the web.

Now, to answer your questions:

1. It's not easy to mess with a correctly obfuscated code (something which will require you to compress/crypt even numbers).Professional hackers won't mess with your code "for sport" unless they're given money to do so and even in that case, they'll have a hard time doing it (that's why I don't believe in the "forget about obfuscation" way of thinking).
2. Obfuscation works really well in terms of data protection.Your code becomes unreadable and, to some extent, it can be seen as a compression algorithm thus it reduces file size and loading times.
3. Obfuscation is easy if you rely on professional tools which can obfuscate, for example, JS, html5, css and php all together. It's harder only if you have to develop such tools.But there exists open-source software too in the field.
4. It slows down "normal users" definitely, they feel lost in front of you code.
5. It's practical to have an HTML5 app with freemium features but it all depends on your implementation of such options.
6. If done correctly as stated above, it's less vulnerable but, personally, I don't like this business model.