9

Is there a way to prevent reverse engineering of ionic mobile application? As mentioned in Android forum I've activated proguard and built the application in eclipse. A file called proguard was created in my bin folder. It contained something like this

 view AndroidManifest.xml #generated:6 
-keep class com.fg.lolc.CordovaApp { <init>(...); }

But I still could reverse engineer the app and I was able to get the code from my APK. Is there a way to prevent this and improve the security of the ionic application? Thanks.

Alex Filatov
  • 2,232
  • 3
  • 32
  • 39
CraZyDroiD
  • 6,622
  • 30
  • 95
  • 182

2 Answers2

10

Nope, it isn't possible to prevent this. You can encode your JavaScript to make it a little harder to get the code, but there are always ways to reverse that. The web is not a secure place for source code, it is open for all.

Here is a good post about different ways to 'encrypt' your source code, to make it harder to read.

http://www.justbeck.com/three-ways-to-encrypt-phonegap-and-cordova-mobile-applications/

Related How to avoid reverse engineering of an APK file?

Community
  • 1
  • 1
Jeremy Wilken
  • 6,965
  • 22
  • 21
  • 1
    You might also check out this: http://blog.nraboy.com/2014/11/extract-android-apk-view-source-code/ – Nic Raboy Dec 09 '14 at 15:25
  • Hey Jeremy, why don't you discuss this in the Ionic Book? I recently posted the question on chapter 6. Thanks for the feedback, although I wasn't able to resolve that. Working on a different app. – Mukus Aug 06 '15 at 01:53
  • I could have discussed it, though it isn't something that I considered a requirement. I wanted to keep the book focused, so it didn't make the cut. – Jeremy Wilken Aug 19 '15 at 20:39
3
if you want secure your ionic app from  reverse engineering and fully 
secured source code i recommended two steps.
First use Enable ProGuard into cordova/ionic project 

1. To implement this, open /platforms/android/project.properties and 
   uncomment one line by removing the “#” at left:
   #proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-
   project.txt

2.copy proguard-custom.txt from ( https://github.com/greybax/cordova-plugin-
    proguard/blob/master/proguard-custom.txt ) 
                   to
     $android/assets/www/proguard-custom.txt Remove '#'
     #-keepclassmembers class android.webkit.WebView {
     # public *;
     # }

3. add snippet from to build.gradle
     Find buildTypes by ctrl + F and add like this 
    buildTypes {
    debug {
        minifyEnabled true
        useProguard false
        proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
    }
    release {
        minifyEnabled true
        proguardFiles getDefaultProguardFile('proguard-android.txt'),
                'proguard-rules.pro'
       }
   }

Second use cordova-plugin-crypt-file
obfuscate or encrypt your code like build/main.js
1)Install cordova plugin add cordova-plugin-crypt-file
2)plugins/cordova-plugin-crypt-file/plugin.xml

  //Using Refrence of cordova-plugin-crypt

  <cryptfiles>
     <include>
         <file regex="\.(htm|html|js|css)$" />
    </include>
    <exclude>
        <file regex="exclude_file\.js$" />
    </exclude>
  </cryptfiles>

Final step ionic cordova build android --release
 Now extreact your apk  or try APK decompiler 
  (http://www.javadecompilers.com/apk)
Manoj Bhardwaj
  • 736
  • 1
  • 9
  • 25
  • Thank you so much for your explanation! Helped me out to get started and add a bit of security to my work. Had to disable the "minifyEnabled" part of proguard cause it leads to failures. I also had to quickfix the cordova-plugin-crypt-file plugin found here: https://github.com/tkyaji/cordova-plugin-crypt-file/issues/59 – Nightking Mar 24 '18 at 15:32