Hello everyone!
Need a help ASAP!
Is there any docs\tuts for making an app source more securable?
There is an big security issue of being the app source is readable by unzipping the APK file.
Please give any ideas to secute it.
Im using REST server for my backend.
There’s something called “obfuscation” which essentially means that the generated output is more abstract than the code you’ve written so it would be harder for others to understand it after decompilation.
I think in short, you cannot prevent reverse engineering, especially for what is essentially a HTML/JS/CSS application. As mentioned, you can obfuscate the code, but if someone REALLY wanted your app code, they could get it.
I quickly decided that the benefits Cordova/Ionic give me in relation to ease of cross platform development far out weigh the negatives of the source code being basically openly available.
To be clear, this is not just a Cordova/Ionic issue, you can effectively reverse engineer any APK/IPA file, there are even online services that let you upload said package and they return the source, simple as that. As an example, I just decompiled the android twitter client via the form.
Ideally I would prefer the code wasn’t so available, but if anything this improved my focus for what I might consider security issues. The apps I have made also access a remote API and it is within this API that all of the security measures occur. I coded the app as if it were open source, so there are no short cuts or cheats for security that can be hidden there.
Doesn’t really help you I know, but there we go.
Thank you everyone!
Anyway I get more than just a none of comments.
I guess i will use uglify,minify and so on but there is none of apps which are truly secured with.
Because there isn’t really any concept of “source code” versus “object code” in an interpreted language like JavaScript. If the JavaScript can’t be read, the program can’t be run.
You can still obfuscate your code during the build process using either js-obfuscator or obfuscator from npm. You could probably even use both, sequentially if their scrambling algorithm is any different. Well obfuscated js code is not much different than java code compiled into pseudoassembly within .class files.
There is also a commercial solution called jscrambler.
There’s also an online tool to quickly paste js code in and one-click obfuscate it, in case you want to test the waters.
I have no idea how/if obfuscating your code impacts performance, although I believe it shouldn’t affect it noticeably.
This is the Best plugin for Cordova/PhoneGap app source code security.
try this plugin: cordova plugin add https://github.com/tkyaji/cordova-plugin-crypt-file.git