Are my app assets secure?


in my Ionic2 app i will use a bunch of videos. Those videos are visible for the app members (They can watch them). But how secure are those videos (they are located under www/coustom_assets/video). Can someone just plugin the smartphone and copy them out of the www/coustom_assets/video folder? This is maybe a stupid question but i am at all interested in what this parts of the app are visible and accessible for the end user.

It’s not as easy as copying a folder, but the app packages are easily attainable/exportable and then extractable to get at the data they contain. Directly putting the videos into an asset folder will make them easily accessable.

1 Like

Are you really planing to deliver all videos with the app itself? This means you would have to publish a new app for every new Video you would like to add. And it would blow up app size to an extreme size if you include e.g. 30 vids with 10MB each.

Dynamically load videos and displaying them in an inapp video player sounds like a better solution, I think.

1 Like

You are right. And i agree with you. I will put them somewhere else. Fore those who want to save stuff secure have a lock at this:

I’m not sure what you think is in there that would facilitate saving anything “securely”, if by “secure” you mean “inaccessible to somebody with physical access to the device”. IMHO, that’s a complete impossibility. If the app can access a resource in cleartext, so can anybody with the binary.

You are right. And i agree with you. I will put them somewhere else.

That doesn’t make a difference. If you look at how, e.g., Amazon Video addresses this, the main web tool is encrypted video streaming, like RTMPS. You can set up a backend like Red5 Pro to help with this, though it can get spendy. While @rapropros is correct that an attacker with your binary can in principle see everything, the most common attackers engage in social engineering or in “script kiddie” use of off-the-shelf attacking software. So hardening your profile against those attackers might help.

In other words: (1) don’t store any protected content locally, and (2) transfer data to the device in a way that is hard to sniff. How much money and time should you sink into that? I’m still trying to answer that question myself.