hello, how do i secure my apk files generated from fusetools? can i use proguard?

I have the similar concern as @Aleme. Is it possible to use Proguard or other means to prevent reverse engineering of Fuse apps?

My blind guess is that we could obfuscate JS codes.

As far as I did my research, Proguard obfuscates Java code. Looking from Fuse perspective, that would only have an effect on 3rd party Java libraries and a bit of Java Foreign code.

Fuse apps are compiled to C++, so Proguard won’t be of much help there. Also, I don’t think the JavaScript code would be obfuscated.

If this is a critical concern, I suggest you do some research and let us know what you’ve found. We’re happy to discuss options if you find particular tools you’d like to use.

Thanks. @Uldis.

If we try to unpack a Fuse compiled APK, we will be able to see all the image assets embedded in the app (which is fine) as well as all the JavaScript files, exactly the same as the ones before compilation. That means all the logic or URLs of service calls will become easily readable by users.

I shall try to see if there’s a way to obfuscate those JavaScript and still readable by Fuse. Well, clearly this is just something the security team will ask for, in order to prevent reverse engineering.

Even Proguard will not completely prevent reverse engineering, I don’t think this a specific concern for fuse, it’s a reality for any type of software development

yes, my partner asked me about this too :((, plain text everywhere

The bottom line is, as long as it is on the device, it can be reversed by someone, given enough motivation and time. It is better to rely on things like oauth2 instead of storing secrets in the app.

When it comes to code, remember that obfuscation is only security by obscurity.

With that said, the team is aware of a request for it, but i can not guarantee that it will be fulfilled any time soon, or at all, for that matter.