Hello guys, I am using Ionic 2 and I have placed json in assets folder. I have successfully compile the code and created apk.
Now the problem is if some technical/wise user extract apk using winrar, It shows assets folder in extracted files but I don’t want to public that JSON file. I want to hide json somewhere in apk which user cann’t access.
Please Help!!!
Not possible. Anything your app can read, so can the device owner.
OOPS!! Any other idea to protect json file?
Simple - encrypt the data in the json file and decrypt the data when loaded.
Yeah that’s fine too But I have another Idea.
Add JSON to a json object in .ts file in provider and import it on page where I want to add it.
Anyways, Thanks brother.
Well you can still read the json from the minified main.js file.
Not simple, and won’t work. The decryption key must be in the app binary somewhere.
Also won’t make any difference.
Again, if the app can read it, so can anybody with a copy of the app package. Period.
Hmmm. Now what can I do?
Means native apps also unable to hide json files or other files?
We’ve decided on the following security plan:
All real security is on the server side, and the most critical part is behind Firebase/Google, which we assume to be a hardened gateway. We have a directory on the server that the client cannot read, which lists the user id’s with administrative access. The server enforces these rules, and also reports to the client if an admin signs into the app. Then the client (i.e., the app) exposes edit and delete buttons that a standard user can’t see. Someone who hacks the app could expose the buttons anyway, but would be unable to delete, because the server would not permit it. Finally, the admin accounts all have two-factor authentication enabled.
So the role of the client side of security is cosmetic, while the role of the server side is to enforce rules.
Re: your JSON file: it depends what you need it for. But in general, people make money on the internet by giving a lot of stuff away, and then offering things for sale on top of that. So you might not need to protect as much information as you think you do.
Yes. Listen to @AaronSterling. This can only be done server-side.