Is my ionic app safe?

hi it is always my question and worries about
is ionic application secured? is that possible to crack the ionic app and get the inside code or sth like this for example if my code is like this(add a service to my app)

    import { Injectable } from '@angular/core';
    import { HttpClient } from '@angular/common/http';
    import { Observable } from 'rxjs';
    import { map } from 'rxjs/operators';
     
    @Injectable({
      providedIn: 'root'
    })
    export class EncryptionService {
    
      url = 'https://api.amnas....com';
       api-key='......'

      constructor(private http: HttpClient) { }
     
        newcheck(checkid: string ,cost: string,toname: string,tocode: string,passcode: string,date: string,checkfor: string,back: string): {
        return this.http.get(`${this.url}?key=${this.api-key}&checkid=${encodeURI(checkid)}&cost=${encodeURI(cost)}&toname=${encodeURI(toname)}&tocode=${encodeURI(tocode)}&passcode=${encodeURI(passcode)}&date=${encodeURI(date)}&checkfor=${encodeURI(checkfor)}&back=${encodeURI(back)}`);
    }
    
   
    }

is that possible for anyone to crack my export app(apk) and extract api-key?

I know it’s been several months, but in case you were still wondering, yes it is possible to decompile an APK and extract api keys and other strings. Any client environment should be considered insecure (aka hackable).

Typical solutions are to proxy the request through a backend that inserts the api key/secret or use vendor-provided tools to lock down or rate-limit the key (ex: Google Maps provides an option to restrict the key when a specific Referer header is not present). Of course, if your app is fully public (no login/auth mechanism), then a proxy could still be exploited.

1 Like

@MesbahM has completely nailed the actual question here, so I’d just like to mention that HttpParams presents a much more readable alternative to the method OP is using to create that monstrosity of a URL.