i am developing an mobile application(using Cordova and JQuery mobile) and i found that ios,android can anyone view my source code as is !!!
this is very dangerous for me , so i have used Cordova plugin for that
cordova-plugin-crypt-file
and it's pretty simple and good for ios , but for android i got problem with ajax and it's not work any more and always gave me 404 http error but ios using same everything works just fine
so my question is : how can i secure my source code with effecting other's
thank you
A lot of people have asked this type of question and basicaly you cannot get full protection on your app.
You can do a combination of the following
Obfuscate - there are reverse obfuscators
Encrypt - you may need to keep the encryption JS and the key on the app, unless you make the app connect online every time it is opened. If you are doing this anyway then is may be better to port sensitive code online and run it there. If your app decrypts the code at run time then someone may still see it via developer.
Paid protection
None of these will completely protect your code but the latter probably does the best. You do have to pay and I have not seen any independant write up on its efficacy. If you look at the links below have a look at the encryope ios one, this is the best so far.
Here are some links to other question on this
obfuscate
encrypt
encrypt ios
paid
Related
I have developed an app using Rhomobile, which is a cross-platform native mobile applications using web-technologies: HTML, CSS, JavaScript and Ruby, but unfortunately now I don't have the source code as I've lost it, but I have the apk that I built at the time. several readings shows it is possible to recover it by reversing the apk which I did but then in the assets\apps\app I got YARV-bytecode which definitely requires to be restored to the ruby source. I saw some tools like reversal which advertised as YARV to Ruby but didn't worked for me. in the examples reversal given YARV-bytecode appeared there are somehow different to those I found from the apk I pulled from.
Mine is a shown below:
How can I recover it?
Please help this.
No it is not possible to recover the code.
For anyone who is trying to authenticate via firebase phone number using ionic, this post is for you.
I spent weeks trying to solve this problem for my own app, and have moved on to using email because solving the phone number problem was taking too much time, but I am making this post to save you from wasting your time on red herrings.
The Issue:
Phone number can only be used when attached to a url, so if you are making an ionic application through a website, phone number auth via firebase will work, however, if you are trying to do it on mobile it won't work because firebase requires a url attached and there are no urls in mobile apps of course (firebase).
Option 1: Plugins
So, the easiest option would be to look around for third-party plugins to implement phone number auth on. I believe there is a Cordova plugin for this, (cordova-plugin-firebase-authentication), however that library is not compatible with Capacitor (compatable plugins).
There are a few other plugins that I tried to implement without much success. Notably, the (capacitor-firebase-auth plugin). It claims that phone auth works for ios and android, however, the actual method for doing that seems very complicated and follows a different path using .p8 codes that I was unable to follow-through with (confusion). And this plugin has some major limitations.
Option 2: In-App-Browsers
Since option one doesn't seem very feasible right now, the second option is to put code up on a website for phone number authentication and then open a browser within your app to authenticate. I spent a ton of time trying to get this method to work to no avail. It seems possible theoretically, but in practice, it is a mess. The biggest problem with this method is that what you want is to be able to run the signInWithPhoneNumber(phoneNumber, appVerifier) on your mobile app, because then your app treats users that have signed in through phone number like any other user and it makes general authentication much easier downstream in your application. However, in order to do that you need a verified appVerifier, which is of the class firebase.auth.RecaptchaVerifier. The firebase.auth.RecaptchaVerifier is supposed run .render() to initiate the recaptcha provlem and then run .verify() to verify a token that is given after the user does the recaptcha (documentation). I have tried to run .render() on a website and then .verify() on a mobile app, passing the token between the two. I am not sure why this doesn't work, it could just be a problem with my setup, but after trying for over a week on this method, I gave up on trying to get it to work. The token I pass just doesn't confirm. I don't know how these two functions work under the hood, there may be some identification system for each unique instance of firebase.auth.RecaptchaVerifier that is invalidating this method, I really don't know.
If you want to take a stab at this method, I recommend using the cordova plugin (it is compatible on capacitor projects) instead of an iframe or the capacitor browser plugin for in-app-browser to the website because it is easier to use and there is better functionality for passing data between the app and the website.
Option 3: Implementing Manually on IOS and Android
I haven't tried out this method, however, theoretically, you could go into your android studio and Xcode projects to actually write swift and java code following the firebase instructions for firebase phone auth (android tutorial) (ios tutorial). This would probably work, but I am not sure how you would notify your ionic project to defer to the swift and java files when authenticating.
Please let me know if there are any methods that have worked for you or any solutions to the roadblocks I have encountered, this is what I've tried so far!
I am the OP. After doing more work I finally got the phone auth system to work using capacitor-firebase-auth (https://github.com/baumblatt/capacitor-firebase-auth). I also created a git repo showing my code example and how to use it: https://github.com/Darrow8/capacitor-phone-test
In my previous attempt, I was running into issues with getting cfaSignInPhone to work but after more tweaking, it worked. Another major issue was getting firebase.auth().signInWithCredential to work. It turns out I had to combine the aformentioned capacitor-firebase-auth library with #angular/fire https://www.npmjs.com/package/#angular/fire
You can simply use cordova-plugin-firebase-authentication its compatible with capacitor, it works for me.
https://ionicframework.com/docs/native/firebase-authentication
I realize that 100% code obfuscation is impossible, but I'm trying to prevent as much as possible someone from stealing a hybrid HTML Cordova / PhoneGap app by downloading the package from the app store and opening it.
I've seen a few posts that say their iOS app has been rejected due to code obfuscation, like this one:
AppStore rejected because of code obfuscation and selector mangling: none is done in the app
Obviously, I don't want my app rejected so I am wondering what kind of obfuscation is allowed by iOS and Android?
In Android, it can done by Proguard.
Follow this link for more details - https://developer.android.com/studio/build/shrink-code
You can use ProGuard for this but then take a look of Activities that use AsyncTask. Obfuscation and AsyncTask often results in NullPointerExceptions. Just for your information :)
Google PlayStore has no rules that prohibit code obfuscation for Android, you can feel safe about this platform. As for Apple, they are much more sensitive to hidden use of undocumented APIs by selector mangling and code obfuscation. But speaking of Cordoba, there should be no problem if you protect the JavaScript code of your app (see also https://stackoverflow.com/a/57662061/192373).
You can find quite a few payed solutions for both Android and iOS if you search for "cordova obfuscation".
I searched thoroughly for this and found info on preventing an iFrame, but not an Android or iOS app.
Basically, some blockhead decided to embed my website into his/her Android app and "enhance" it. I assume it's <webview>? (not experienced with Android yet)
Thought about claiming via copyright, but shutting it down via code would be better.
How do I stop them from doing this on an Android app? Is it with JS I can block it or block requests from the app?
Thanks
If you are hosting a public website there is no way you can do this.
You could try and do user agent detection but that's just a hack that can easily be changed on the app developers part and will also hurt users who are simply using Android phones from accessing your website.
It would be best to reach out to the developer. You should also realize that client side manipulation of CSS, etc. is not forbidden so really it would just come down to if he is claiming something to be his own in the copyright sense.
I know that those kind of questions have been asked before, but I couldn't find a topic to help me.
I have been give a HTML5 game and I was asked to verify if I can run it on an Android tablet.
I'm a little bit confused with what I have to do? Should I create an Android project and import the file or is there an easier way to create an apk?
Thanks for your help.
You could look at Apache Cordova. This is a powerful environment made to support app development in HTML5. As such you should be able to literally copy your game resources over, run a build and have a full fledge Android App. Fun fact, provided you have access to OS X, Cordova will produce an iOS compatible app too.
If your game consists of HTML, CSS and JavaScript, such that it can be run off a modern web browser with no special plugins installed, rest assured it can run in an Android tablet.
You could access it directly from the tablet's browser or you can make an app (packaged in an APK and installed from it) which does essentially the same, but with a great benefit: the web page and the app can communicate (via JavaScript), enabling a richer experience.
Example of such communication: you're making an app for a web forum, and the link for "compose new message" opens an Android activity for writing that POSTs the result to the server, instead of constraining you to write in a small web browser form.
For more information on the subject, check out Android API Guides for Web Apps.