As you know, unzipping the APK file will easily show all your WWW files. This is a nightmare. All my API Keys are exposed there. I was reading a lot and found that what most people do with Ionic project is Obfuscation. I heard also about ProGuard for Android but I haven’t succeeded in having it working with Ionic. In this topic , the OP is having the same issue of mine :
So, What do you do to mitigate this issue and can you share an updated tutorial for it.
There is nothing you can do to truly “secure” an app. It’s analogous to somebody having physical access to a piece of hardware. They have physical access, they can get in.
You can obfuscate but since they ultimately have access to the APK this won’t ultimately do much. The best solution is to move any kind of true authentication onto a server. Something that no user will have physical access to.
I click the heart seven thousand times, yet it only shows 1 like.
Thanks. I did actually search about this before and I think you mean something like creating an API in the server that handles these requests for the App and return the results through AJAX ?
Is there a tutorial explaining how do this ?
JSON web tokens are a distillation of years of best practice on this front.
Thanks.
My understanding is that JWT will help in authenticating requests by creating Tokens. Most articles explain how to use it for Login process.
Would you please explain how would JWT apply to my situation? I do not have Log-in. I just want to protect API Keys that are stored in my App. These keys are mostly WooCommerce key, Parse Sever key … etc that my App uses to communicate with these services.
Hi
Joshmorony has great stuff on security and JWT. But if you insist not having a server endpoint to do the token (and some sort of authentication), then i believe the only way to store keys in a webapp is by making some sort of native cordova plugin? Dont think the source of a proprietary plugin is exposed in a apk.
Rgdz
Tom
As @SigmundFroyd said, that’s logically impossible. Anything your app can read, anybody with a copy of the app binary can as well.