The JavaScript Software Protection Security Checklist is a vendor-independent effort that aims at helping Security Practitioners analyzing the potency and resilience of a JavaScript Software Protection.
The checklist follows the OWASP MASVS organization model of enumerating different verification requirements across a number of different categories. It builds upon its V8: Resilience Requirements section, further expanding it and adjusting it to a different scope: JavaScript Software Protections - which is not only applicable to Mobile Applications having JavaScript but, in fact, to any other kind of JavaScript-based application (e.g. Web, Node.js) for which one may consider using software protections. Some inspiration was also drawn from the OWASP Mobile Security Testing Guide.
Verification requirements were written, as much as possible, to be easy for anyone to follow and independently verify them. However, we recognize that some specific requirements might be harder to verify without 1) using specialized troubleshooting features of the software protection solution; 2) needing help from the software protection vendor, or, 3) without a significant amount of time invested.
These verification requirements do not aim to verify if some feature is available in the vendor solution, if the solution is reliable (i.e. does not break the code), or if it is compliant with all JavaScript engines. Even though those are important matters, they are considered out of scope for this checklist.
You can find the checklist here: [PDF] [Markdown]
This was a first effort towards having a fully working industry validated checklist. We need feedback and volunteers to work on this topic. If you want to help, please contact me: pedro.fortuna_AT_jscrambler.com