this is really great, but i was concerned about one thing, if you can modify the code and store it, wouldn’t it be editable for hacks, the kind give you infinite lifes on candy crush and etc…
so talking about security it seems like would make your app really not safe, unless you only cache on memory and download again always you use the app (only in the mean time before store accept your app subimission, and the user finally download it)
he wouldn’t even need to make some sort of sql injection for make your page fill bug, he would just have to change the new files, since it’s not yet build and it’s only data, he will only need make this on the local page…
Due to your security concerns:
If a bad guy wants to change the source code of the app its always possible ( native or hybrid ) . Therefore you have to add several layers of security to your application stack
If he changes the source code it affects only his own installation. To change the code for all users the attacker has to hack the server
App ( hybrid )
Make heavy use of minification and obfuscation. There are a lot of tools out there. This will make it harder for an attacker to understand your code
Do not store any sensitve data in plain text . Use crypto libs / plugins . For instance instead of storing a password, just save the hash
Implement a secure communication channel to your backend
Backend
Never ever trust the data from the frontend, validate !
Use a well known auth strategy
App Update on the fly
Use hash codes for every file -> now its possible to check if the file was modified during download phase
Secure your update server
Use a PKI, Certs, ets to ensure you talking to the right server
Keep the server simple and stupid, the server serves only static files ( the updated files). No need for database, scripting support, etc --> Reduces the number of attack vectors
Yesterday we released our, previously internal, approach to doing hot code push for hybrid apps as an Open Source native cordova plugin for iOS and Android. It should work well with any cordova/phonegap based app, with or without Ionic framework.
We would welcome your feedback.