Source code can be viewed in the final APK file built with 1.8.1?

You must Login before you can answer or comment on any questions.

Today, I found that if the apk is built with 1.8.1, the source javascript files are still included in the apk, although there are very little changes compared to the original source code. 1.8.0 works well. Is this a regression?

3 Answers

Also, for released 1.8.2, although the source code is encoded with BASE64, which can be decoded easily. For business application, how can we use Titanium? Looking forward to Titanium side to give out a workaround. Thank you very much.

Here is a ticket regarding this issue: https://jira.appcelerator.org/browse/TIMOB-7553

I'm not sure how security is implemented, but it seems that JS source code is inlined in Objective-C/Java code and compiled that way. That seems common practice (??), but I'm not so convinced that is secure.

— answered 2 years ago by Ivan ┼ákugor
answer permalink
4 Comments
  • To my knowledge, 1.8.2 adds a new java file: AssetCryptImpl.java, which contains the BASE64 string of each javascript file. You can easily decode the BASE64 string to get the file content. for example:

    Object localObject4 = localHashMap.put("app.js", "dmFyIGFwcD1yZXF1aXJlKCIvdWkvYm9vdHN0cmFwIik7YXBwLmxhdW5jaCgpOwo=");

    I built the apk by "production" type.

    I don't think it is a good solution to solve this issue.

    — commented 2 years ago by Leoncin Lee

  • Yeah, I also wouldn't rely on security based on obfuscation.

    — commented 2 years ago by Ivan ┼ákugor

  • Will be careful here, but the world of cracking is not new. Security is a myth. If its in memory, it can be read.
    At the simplest of points, a simple binary switch in memory allows an app to be registered, or unregistered. The only way to protect your app is to never release it. The only way to protect your intellectual property is to forget it. However, that is impractical no matter how effective.

    You full out xCode build and java can be reverese engineered. True, its not as easy to read as base64_decoding a java file, but can be done.

    The key is to slow down the thief. Make it cost ineffective to 'compete' with you by stealing your code.

    Appcelerator has admitted that the base64 method needs to be reworked. A solution is to use a full encryption module to wrap it all up in. The encrypt/decrypt key would be compiled into the binary. However, this isn't perfect. Memory can be read. NO guarantee that the decrypt key couldn't be read from a file. But its a bit harder, takes longer.

    Split your business logic between the app and a server if you can.

    Just some thoughts from about half a notebook of notes on the subject here.

    — commented 2 years ago by Stephen Feather

  • Show 1 more comment

Your Answer

Think you can help? Login to answer this question!