I realize that 100% code obfuscation is impossible, but I'm trying to prevent as much as possible someone from stealing a hybrid HTML Cordova / PhoneGap app by downloading the package from the app store and opening it.
I've seen a few posts that say their iOS app has been rejected due to code obfuscation, like this one:
AppStore rejected because of code obfuscation and selector mangling: none is done in the app
Obviously, I don't want my app rejected so I am wondering what kind of obfuscation is allowed by iOS and Android?
In Android, it can done by Proguard.
Follow this link for more details - https://developer.android.com/studio/build/shrink-code
You can use ProGuard for this but then take a look of Activities that use AsyncTask. Obfuscation and AsyncTask often results in NullPointerExceptions. Just for your information :)
Google PlayStore has no rules that prohibit code obfuscation for Android, you can feel safe about this platform. As for Apple, they are much more sensitive to hidden use of undocumented APIs by selector mangling and code obfuscation. But speaking of Cordoba, there should be no problem if you protect the JavaScript code of your app (see also https://stackoverflow.com/a/57662061/192373).
You can find quite a few payed solutions for both Android and iOS if you search for "cordova obfuscation".
Related
Apache Log4J vulnerability https://www.csoonline.com/article/3644472/apache-log4j-vulnerability-actively-exploited-impacting-millions-of-java-based-apps.html is impacting a number of cloud services.
I am using log4j in my Android application.
How does it impact it or is there no impact at all?
I am assuming since the malicious actor could only run local scripts, it should not be an issue but I wanted to confirm.
Seems like Android apps are safe since JNDI isn't available on Android. I believe the following tweet was the first online mention of the vulnerability, and on the bottom of the second screenshot it says "Java's JNDI is not available on Android".
https://web.archive.org/web/20211209230040/https://twitter.com/P0rZ9/status/1468949890571337731
(original tweet got deleted https://twitter.com/P0rZ9/status/1468949890571337731/photo/2)
I just read these topics:
Is there a way to get the source code from an APK file?
How to avoid reverse engineering of an APK file?
...and realized that you can't develop an android program without being possible for its .apk file to be reverse engineed.
You can use Proguard and tricks but still your code will not be completely hideable.
So if you want to make an app completely close-source what you have to do?
For example, what Facebook and Snapchat and Messenger (e.g) did so their source codes are not accessible?
Also, another question: if you upload your app on google play, then a user can get your .apk?
Thanks in advance!
Every app may be reverse engineered.
The difference is only time needed to do it.
Proguard is a minimal solution whish requires minimal efforts and provides a level of protection that is enough in most cases.
You may also use other obfuscation tools (for example, DexGuard).
Another way is making shared libraries with Android NDK and using it. Reverse engineering of native binaries is usually more difficult than Java classes.
Probably the only way to completely protect your algorithms is to remove them from user's device - move to a server. In that way application will do a requests, but computation will be performed on your server.
As for extracting APK - it is possible, as Giorgos Pippos wrote.
From what I know, there are programs you can use to extract an apk from your phone. For example APK Extractor is listed in the Play Store.
You can use this kind of apps to get the apks you want.
i am developing an mobile application(using Cordova and JQuery mobile) and i found that ios,android can anyone view my source code as is !!!
this is very dangerous for me , so i have used Cordova plugin for that
cordova-plugin-crypt-file
and it's pretty simple and good for ios , but for android i got problem with ajax and it's not work any more and always gave me 404 http error but ios using same everything works just fine
so my question is : how can i secure my source code with effecting other's
thank you
A lot of people have asked this type of question and basicaly you cannot get full protection on your app.
You can do a combination of the following
Obfuscate - there are reverse obfuscators
Encrypt - you may need to keep the encryption JS and the key on the app, unless you make the app connect online every time it is opened. If you are doing this anyway then is may be better to port sensitive code online and run it there. If your app decrypts the code at run time then someone may still see it via developer.
Paid protection
None of these will completely protect your code but the latter probably does the best. You do have to pay and I have not seen any independant write up on its efficacy. If you look at the links below have a look at the encryope ios one, this is the best so far.
Here are some links to other question on this
obfuscate
encrypt
encrypt ios
paid
in my case i have an Hybrid Mobile App with Cordova.
How can I avoid changes to my javascript/AngularJs if someone download my *.apk or *.ipa and try to use it with a browser ?
I want to encrypt my source javascript code or if possible want to full content in *.apk.
A way to avoid other person make changes in your code is minify and obfuscate the javascript files.
Here you can test it by yorself.
But if you want to minify all the javascipt files of your project, i suggest you to use some task runner like grunt with Uglify.
To avoid unwanted requests you have to configure Cross-origin resource sharing (CORS) in your server.
While most people will agree that Javascript encryption is not a fool-proof method, there are a few cases where increasing the efforts required and slowing down the attacker often helps. You can check tools like refresh-sf, Uglify and also obfuscator.io for code obfuscation. However, basic encryption and obfuscation practices don’t prevent people from lifting and using your code, and considering the advanced cyber-attacks happening these days, hackers already have a way around such practices.
My suggestion would be to invest in mobile application security tools like Arxan, AppSealing, or Appdome to apply a robust security architecture on your application. Having personally used AppSealing, I can say that they have regular updates and definitely keep you guarded from the latest attacks. Their framework is integrated directly in your apk so there’s no additional coding required. I would suggest you look for such mobile app security solutions for a more robust security architecture. I am sure there must be more solutions apart from the ones I have mentioned above. Just research and pick the one that suits your requirement and budget.
First of all minify all your js file into one single bundle.js and use cordova-anti-tampering plugin. if somebody tries to tamper your apk and rebuild the apk app will get crashed.
This plugin will create hash value for all the files. if you want to secure your app more You can store these hashvalues to server once and check your files hash values with server stored hash values.
I have my native android app in play store, in recent days my app gets multiple request frequently from a particular user, for time being in have blocked that particular device id, i fear would be there any chance to crawl my app?
Is there any way of crawling android app content?
Of course there is! You can open your APK like any zip archive and open whatever you want. You can use aapt tool from Android SDK to replace some parts. And you can decompile your code using undex tools. It will not be exactly what you used, but they will be able to modify your application.
You can do it harder for them, if you use some obfuscation tools like Proguard. You cannot prevent completely revealing your code however. It is much harder to disassemble native code, but still possible. Make sure you do not compile symbols for all functions into release library. See http://www.ibm.com/developerworks/aix/library/au-aix-symbol-visibility/ for examples.
If you have something really valuable, only secure way it to process data on your secured server without giving your code to the user. All code you give on the user's device can be decompiled. It differs only by how hard it is and how much he has to spend to do that.
I may not have understood what you meant by crawl your app though.