Question: Source Code Stolen?

It is possible that my www directory from Ionic geranated app to be stolen and recompile it via android studio with capacitor and change some stuff like logo and inject a keylogger at index.html.

Is that so possilbe is there way to prevent that ?

Thanks in advance

I guess so, but if you’re distributing the app via the Play Store whoever hypothetically did this wouldn’t be able to spoof your keystore.

Yes, it’s possible, but I wouldn’t consider it something to worry about.

Aside from not distributing your app, no.

Thank you for your answer, I think it will needed to treat our Ionic app MORE than public unlike website it stored from server It is possible to take a look for source code but it will not to modify it easily and recompile it and upload to fake appstore or 3rd party such as apkpure.

Added!
for Ionic Enterprise do you have meta data looker for app version and apk details and timestamp created that will help to add to secured server that will verify the version before execute any request.

Also I am interested for Ionic Secured storage.

First of all, I don’t work for or speak for Ionic. I also never have been a client of any of their enterprise products, so I haven’t the faintest clue about what they even are, much less what they do.

I’m not sure what your first paragraph means, but if you’re saying that you should design your app such that it works securely even if potential blackhats have access to the entire source code for it, yes, I agree with that. Fortunately, it’s fairly simple to do that, and the things to consider are the same as with any app that runs on untrusted hardware.

This concerns me. Self-submitted version numbers constitute zero security. I would suggest thinking in terms of actors, not programs. If I were in your situation, I wouldn’t care one iota what client app a user wanted to use. I only care that I’m providing access to Alice’s account to Alice and Alice only. Alice might care whether she’s using the official version of my app or not, but that’s a totally separate problem that by definition cannot be addressed from within the code of the app. That’s why Google and Apple have their code signing processes.

So I would suggest having a middleware server that is under your control that talks to a database also under your control. The app submits usernames and passwords or whatever other authentication secrets you might employ: however, it is absolutely critical that these secrets are linked to the user and not the app binary. Do not hardcode any secret strings or encryption keys in the app binary, period. The middleware server returns a JWT that the app can store locally for however long you deem appropriate. Further communication with the API to secure areas of your backend can be restricted by that JWT, so that the backend knows that a request for Alice’s inbox can safely be returned because it came with a properly signed JWT containing Alice’s identification.

Bear in mind that it is intended to treat a completely different attack vector, one where Bob grabs Alice’s phone and steals the JWT used to interact with your backend. Now Bob can impersonate Alice as far as your system is concerned. That’s a categorically different concern than somebody “stealing” your source code.

As I’ve said repeatedly on this topic, “how do I protect my intellectual property in an Ionic app” is fundamentally a legal, not a technical question.

2 Likes

I am so grateful about you as moderator that is the most detail reply I ever saw.

I’ll generalize for such situation of source code stealing and acted as a legit that will occurred.

The thread will close and I will accept your answer.

Thanks @rapropos