Change APK extension to ZIP and whole code is visible..!

Hello, I am developing apps using ionic and phonegap from last few months since I found it very easy to code apps using ionic framework especially power of angular js nd ngCordova.
Few days back something popup in my mind so I tried to rename build apk file extension to zip format and then I extracted the zip file.
I was surprised that my whole code was visible. HTML, JS, CSS Everything was there as it is.
It was not much tuff for anyone to create a project just like me using my all credentials which I stored in JS files.
However, When I tried same with a Native Android APK file. I got nothing. I mean to say there was no source code directly available when unzipping a native apk.
Can someone draw me and users like me to a path where our code meets security what actually we get when building native apps.

1 Like

I looked into it but it does not seems much useful. Is there anyone who could workout on this topic?

Including credentials in source code is a bad practice. A Cordova application uses html, css, and javascript to build the user interfaces, so that will be available inside the APK. Your best bet is to minify/uglify it, but storing any type of credentials is bad. It is no different than a standard web application in that respect, and you must use the same patterns as you would in a web based application. You’d never store sensitive information in the html, js, or css of a web application, so you should not in a Cordova app either. You should use standard security schemes like OAuth, Secure Sessions+tokens etc.

Hello Nik,
I agree what you posted. But is it really rare to find a proper solution for this issue?
I mean I am new to this but I posted my query here coz I though there must be someone who have a resolution to this issue and somehow we could be able to create apk file just like native app development for android.

The apk that is created by cordova is 100% a native app, but the user interface is a webview that uses html and javascript. Storing anything sensitive in a client side app is an anti-pattern, whether the app is java, C, C++, Python, html, etc. I would strongly recommend against it. I don;t really have anoterh recommendation for you other than uglifying your www folder.