I am using IBM workLight 4.0 version, currently i am developing a simple insurance applicatoin, everything is done well. After Android setup has taken, from the .APK (android setup file) i can extract the HTML5 and javascript source. I felt it is insecure from the hackers and might be missused by someone.
Can you please anyone can tell me how to secure code in Setup/deployment?
The answer to this is Obfuscate you code before you create an APK. For more information on obfuscation visit wiki.
I previous stackoverflow post tell how to do it for android. How to avoid reverse engineering of an APK file?
For Javascript obfuscation visit this stackoverflow question How can I obfuscate (protect) JavaScript?
And one more thing HTML cannot be obfuscated, you can see the HTML source and associated css by pressing F12.
Worklight 4.0 was still in use in 2013? :)
Android Proguard is unavailable to Worklight-based Android apps in Worklight v4 to v6.2 (current release).
The only way to add some degree of obfuscation to an Android app in Worklight is by using the Google Closure compiler. You can follow the steps to do so in the following blog post by Anton Aleksandrov: Obfuscating JavaScript code in Worklight applications.
Note:
Wikipedia defines code obfuscation in a following way
In software development, obfuscation is the deliberate act of creating obfuscated code, i.e. source or machine code that is difficult for humans to understand. Programmers may deliberately obfuscate code to conceal its purpose (security through obscurity) or its logic, in order to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source code. Programs known as obfuscators transform readable code into obfuscated code using various techniques.
Two important things to be noted from the above definition are
- The purpose of code obfuscation is to conceal its purpose, prevent tampering, deter reverse engineering or puzzle someone reading the code.
- Obfuscated code is difficult for humans to understand.
So basically obfuscating your code means converting it to a format that is difficult for humans to read. Not impossible. Just difficult.
Therefore - it is very important to understand that code obfuscation, especially in JavaScript, is a relatively weak security measure. Most modern web debugging tools are smart enough to "prettify" the obfuscated code reverting it to a much more readable (however still not original) format.
