As you know, unzipping the APK file will easily show all your WWW files. This is a nightmare. All my API Keys are exposed there. I was reading a lot and found that what most people do with Ionic project is Obfuscation. I heard also about ProGuard for Android but I haven’t succeeded in having it working with Ionic. In this topic , the OP is having the same issue of mine :
So, What do you do to mitigate this issue and can you share an updated tutorial for it.
There is nothing you can do to truly “secure” an app. It’s analogous to somebody having physical access to a piece of hardware. They have physical access, they can get in.
You can obfuscate but since they ultimately have access to the APK this won’t ultimately do much. The best solution is to move any kind of true authentication onto a server. Something that no user will have physical access to.
My understanding is that JWT will help in authenticating requests by creating Tokens. Most articles explain how to use it for Login process.
Would you please explain how would JWT apply to my situation? I do not have Log-in. I just want to protect API Keys that are stored in my App. These keys are mostly WooCommerce key, Parse Sever key … etc that my App uses to communicate with these services.
Joshmorony has great stuff on security and JWT. But if you insist not having a server endpoint to do the token (and some sort of authentication), then i believe the only way to store keys in a webapp is by making some sort of native cordova plugin? Dont think the source of a proprietary plugin is exposed in a apk.