Source code can be viewed in the final APK file built with 1.8.1?

Today, I found that if the apk is built with 1.8.1, the source javascript files are still included in the apk, although there are very little changes compared to the original source code.
1.8.0 works well. Is this a regression?

3 Answers

  • Also, for released 1.8.2, although the source code is encoded with BASE64, which can be decoded easily. For business application, how can we use Titanium? Looking forward to Titanium side to give out a workaround. Thank you very much.

  • Here is a ticket regarding this issue:

    I'm not sure how security is implemented, but it seems that JS source code is inlined in Objective-C/Java code and compiled that way. That seems common practice (??), but I'm not so convinced that is secure.

    — answered 4 years ago by Ivan Škugor
    • To my knowledge, 1.8.2 adds a new java file:, which contains the BASE64 string of each javascript file. You can easily decode the BASE64 string to get the file content. for example:

      Object localObject4 = localHashMap.put("app.js", "dmFyIGFwcD1yZXF1aXJlKCIvdWkvYm9vdHN0cmFwIik7YXBwLmxhdW5jaCgpOwo=");

      I built the apk by "production" type.

      I don't think it is a good solution to solve this issue.

      — commented 4 years ago by Leoncin Lee
    • Yeah, I also wouldn't rely on security based on obfuscation.

      — commented 4 years ago by Ivan Škugor
    • Will be careful here, but the world of cracking is not new.
      Security is a myth. If its in memory, it can be read.
      At the simplest of points, a simple binary switch in memory allows an app to be registered, or unregistered. The only way to protect your app is to never release it. The only way to protect your intellectual property is to forget it. However, that is impractical no matter how effective.

      You full out xCode build and java can be reverese engineered. True, its not as easy to read as base64_decoding a java file, but can be done.

      The key is to slow down the thief. Make it cost ineffective to 'compete' with you by stealing your code.

      Appcelerator has admitted that the base64 method needs to be reworked. A solution is to use a full encryption module to wrap it all up in. The encrypt/decrypt key would be compiled into the binary. However, this isn't perfect. Memory can be read. NO guarantee that the decrypt key couldn't be read from a file. But its a bit harder, takes longer.

      Split your business logic between the app and a server if you can.

      Just some thoughts from about half a notebook of notes on the subject here.

      — commented 4 years ago by Stephen Feather
    • Thank you and I agree with you. My question is that in 1.8.0, the javascript files were already compiled into native java class files, but recovered to plain javascript files again in 1.8.1. Maybe there are some other considerations on Appcelerator side, which I am not known. I can try to separate the business logic from my application, but current implementation makes it much much easier for others to replicate a similar mobile app. Also, it may impact decision maker to use Titanium as mobile development choice.
      Glad to hear that Appcelerator already starts to provide a secure solution to protect the source code. Wish I can get it soon.

      — commented 4 years ago by Leoncin Lee