Prevention of Copycats/Securing Ionic Apps


#1

Hi,

I’d like to collect some ideas what you guys do to ensure nobody just copies your app, modifies it (e.g. replacing bundle id, AD ids, IAP ids, …) and puts it online as copied version.

Do you know any good resources about that topic for cordova/ionic apps?

So what I’m doing so far:

  • encrypting AD/IAP ids
  • encrypting all values stored to DB
  • highly obfuscating this encryption/decryption logic and anything closely related
  • Enabled ProGuard for the app

Any other ideas/Best practices I missed?

Greetings


#2

None of that will prevent someone copying your app, it will just make it a tiny bit harder unfortunately.


#3

Yes I know @Sujan12. The idea is just to make it as hard as possible, as always in security topics… The more time they need to invest and the more complicated it gets, the more unlikely it will be. But sure, there’s never the 100% solution and there is always the risk.


#4

Does that protect your html source code?

you could make a request to a server in your code and don’t start the app if it is called - with uglify it would be difficult to restore[ unless they like using the debugger]. ( --prod --release when building it)


#5

One way to make it harder is to move as much logic and credentials to your server, so you have a point where you can block or redirect requests. If your app talks to an API, don’t talk to it directly but via a simple file on your server.


#6

No ProGuard das not protect the html/JS/CSS. But it makes the native stuff harder to mess with. (And additionally makes the app size smaller)


#7

And if you download the html-css-js-assets package from the server and unpack (encrypted, session based etc)?

the hacker then needs to take the assets from the memory/webview

Slowes the UI, but seems most secured


#8

I’m pretty sure this will not pass at least the iOS review :wink:


#9

I think I will download the apk of a bank which uses webviews to see how they do it…


#10

I once saw a gulp plugin that does some Js encryption using AES. It generates a byte array with encrypted data. Made a couple of experiments but didn’t find a reliable way of recovering the encryption key without exposing the logic behind that endpoint .


#11

Btw, why come the devapp from ionic and phonegap have gone through the store?

They basically do the same, just unsecured


#12

Maybe because this is the intention of the app, clearly outlining it and only serving stuff the user has on his local network… I guess.


#13

There are numerous articles on the internet, which point out, that you most likely don’t need to worry about copycats. So instead of worrying about copycats, you should focus on building your brand and the best app you can come up with.


#14

The Securing a PhoneGap/Cordova Hybrid Mobile App article by Rob Laurer provides some good examples like uglifying your code or using a service to scramble it.

Hope this helps. Though I wouldn’t go nuts since copy cats can just create a new app off your current one by copying it’s look and features without ever viewing/copying any of the underlying code. In my opinion the hardest part of app development is coming up with the idea. Therefore, I suggest copyrighting your app and then suing anyone who creates a knockoff that can cost you business.