Login/Register
phonegap copy-protection
Asked Answered
Solved cordovacopy-protection
A

3

7

I'm working on a phonegap-app for Android/iOS.

If I understand correctly, if someone opens up a phonegap-app package, he can just copy the html/js/css into a phonegap-app of their own. That is something I would like to make more difficult.

My app works without the need of an active internet connection, and I would like to keep it that way.

The best solution I can think of is to store (parts of) the (40) HTML-files in native Java/ObjectiveC variables and retrieve them using javascript and a custom Phonegap plugin. This way, the HTML will get encrypted too when creating the app.

Is this a viable solution or a waste of time?

Acanthocephalan answered 27/8, 2012 at 11:45 Comment(0)
S
5

If something is valuable enough to be worth protecting people's access too (e.g. authentication details), then putting it into some compiled code that they have is not secure enough.

Otherwise, just what do you have in the HTML, Javascript and CSS that is so valuable? It can't be the code itself, because if they can't copy it they can just look at it, go "oh, that's a good idea" and copy the idea without looking at the code. The good ideas are more valuable than the lines of code, and you can't hide them, this way. In this case, you've made life harder for you to a greater extent than you've made it harder for them.

Shredding answered 27/8, 2012 at 12:17 Comment(4)
In this app, I think the html is the most important part. It's a series of language exercises, where questions, correct answers and feedback are stored inside the html, and the functionality is pretty simple. And you are right, I wouldn't want to make my life harder then theirs. Since I'm new to these kind of problems, I was just wondering if anything could be done without too much hassle. You seem to suggest that 'hassle' in my solution would be written with a capital H.... Mind you, I'm not looking for an ultimate secure solution.Acanthocephalan
Maybe do something like have the correct answers in the javascript as "\u0041\u0042\u0043" instead of "ABC" or in the HTML as "ABC". That'd only slow-up a code-savvy person for less than a minute, but it'd stop a less code-savvy kid trying to sneak "at the back of the book", so to speak.Shredding
Thanks Jon, that would be good if I was interested in making it hard for someone to get to the right answers. However my main interest is in finding out a way to make it difficult for someone else to just copy the html/js/css-content into another phonegap-app. The more I read about it, the more it seems that the best solution is either to do nothing or to go all out and set up a database and load encrypted data from there.Acanthocephalan
Pretty much. How long would it take you to copy all the stuff on this page, less than an hour maybe? Now, how long would it take you to have a working copy of the site? Much longer. Of course, if one of us did do such a copy, SO would then take the old-fashioned non-technical solution (suing us into the ground).Shredding
O
12

This is one of my favourite answers from the PhoneGap Google Group by Kerri Shotts. I like it because she encapsulates my thoughts on the matter but does it more eloquently than I could:

Not really. Yes, you can obfuscate it, but I could decode it. You can encrypt it, but that means the key is in your code somewhere, which means I can also unencrypt it. Once I have the device and your bits, I can do anything I want with them.

Remember: the device and OS are not there to protect the app from your users. It's there to protect your users from your app. Totally different side to security.

Keep in mind this is largely true of native apps. Give me a Java or ObjC program and I can work out what it does easily enough as well. Furthermore, in most platforms, all the graphical assets are just regular files, which mean they are easily copied.

This is why there are so many pirated/cloned apps out there. And ultimately, as long as I have the bits to your software, there's nothing you can do about it. All you can do is make it "harder" for the user -- and that level of "hardness" is proportional (if not exponential) to the effort required to make it "harder" for the user. That is, if you make it so that 90% of users can't crack the system, that's one level of difficulty in hardening the app; to then make it so that 99% can't crack it requires a significant leap in programming difficulty.

You can, of course, create on-the-fly decryption routines in native code that read an encrypted www/ folder. If you want to do that, go ahead. (A hacker can still get around it. There's /always/ a way.) Am I willing to go that far? Nope. It's not worth my time or effort, especially when it won't protect me from the ones who are really interested in clobbering me. [Another issue: should PG do this? NO. Only a security expert, and most developers aren't.]

Do I take a pessimistic view on security? Yes. If you distribute the bits, you lose the security. Therefore, if you need the workings of the app to be very secure, those workings should be off-device on a very secure server somewhere behind several very secure firewalls with goodness-knows how much security in between to make sure no one could ever guess how the app is even authenticating to this server.

I say all this simply because I don't believe it is worth the effort for most apps to worry about the fact that the www/ folder is visible and exposed. I'd go so far to say that for 99.99% of apps this is true. Unless you're working in healthcare (and logging sensitive information) or government or banking (with actual banks), you don't need to be worrying about it. And if you are, should you be using PG? Furthermore, should you even be on the mobile device at all? Better in my opinion to be a webapp that has very little client code and is essentially a black box.

Obstetric answered 27/8, 2012 at 14:8 Comment(1)
Thanks Simon. I guess I should learn to stop worrying (and love the bomb)Acanthocephalan
S
5

If something is valuable enough to be worth protecting people's access too (e.g. authentication details), then putting it into some compiled code that they have is not secure enough.

Otherwise, just what do you have in the HTML, Javascript and CSS that is so valuable? It can't be the code itself, because if they can't copy it they can just look at it, go "oh, that's a good idea" and copy the idea without looking at the code. The good ideas are more valuable than the lines of code, and you can't hide them, this way. In this case, you've made life harder for you to a greater extent than you've made it harder for them.

Shredding answered 27/8, 2012 at 12:17 Comment(4)
In this app, I think the html is the most important part. It's a series of language exercises, where questions, correct answers and feedback are stored inside the html, and the functionality is pretty simple. And you are right, I wouldn't want to make my life harder then theirs. Since I'm new to these kind of problems, I was just wondering if anything could be done without too much hassle. You seem to suggest that 'hassle' in my solution would be written with a capital H.... Mind you, I'm not looking for an ultimate secure solution.Acanthocephalan
Maybe do something like have the correct answers in the javascript as "\u0041\u0042\u0043" instead of "ABC" or in the HTML as "ABC". That'd only slow-up a code-savvy person for less than a minute, but it'd stop a less code-savvy kid trying to sneak "at the back of the book", so to speak.Shredding
Thanks Jon, that would be good if I was interested in making it hard for someone to get to the right answers. However my main interest is in finding out a way to make it difficult for someone else to just copy the html/js/css-content into another phonegap-app. The more I read about it, the more it seems that the best solution is either to do nothing or to go all out and set up a database and load encrypted data from there.Acanthocephalan
Pretty much. How long would it take you to copy all the stuff on this page, less than an hour maybe? Now, how long would it take you to have a working copy of the site? Much longer. Of course, if one of us did do such a copy, SO would then take the old-fashioned non-technical solution (suing us into the ground).Shredding
W
-1

This is the Best plugin for Cordova/PhoneGap app source code security. try this plugin: cordova plugin add https://github.com/tkyaji/cordova-plugin-crypt-file.git

Wendy answered 25/2, 2019 at 19:16 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.