hello, i’m very happy with fuse.
this is only my own opinion
After making out apk, we can easy to extract apk as zip then open folder: “assets”, there are many plain text js in there without encryption or obfuscation. so our functions, encode key,secret key,api,resful url… will be read very easy.
I think fuse framework can easy to encrypt them (when makeing out apk) and decrypt in runtime
is there any way to protect js code ???
thank you
You can try to obfuscate your JS code with a tool of your choice, but we don’t provide any support on that or guarantees that this will work.
As for the concerns you’re raising:
Uldis wrote:
You can try to obfuscate your JS code with a tool of your choice, but we don’t provide any support on that or guarantees that this will work.
As for the concerns you’re raising:
- No secret keys should be stored in code. Opt for OAuth2-style authentication when possible.
- Anyone who knows how to decompile APKs will also know how to sniff traffic, so your API URLs aren’t safe anyway.
Sure, I’m using OAuth2-style and https, but i think fusetools framework can encrypt/decrypt js file with own algorithm, noone or very hard to decrypt.
thank you.
If that’s a question, then: currently there are no plans to implement an internal obfuscator.
Uldis wrote:
If that’s a question, then: currently there are no plans to implement an internal obfuscator.
Yes, only internal obfuscator of fuse-framework can protect js code up to 100%, any online/private/pro tool to obfuscator js can be deobfuscator easy.
thank you again.
Hi!
I have the same concerns regarding including sensitive data on unprotected code. So, i have this question: What if we store some values inside a uno class? Can the strings in the code generated on the uno class be readable?
I was trying to see if this approach will work. But to be sure, i think we need to use some kind of encryption inside my uno class, but with no luck yet. I will try to wrap Themis if i found enough time. But i think that if i use that solution, my app will not work on the simulator, so, that’s holding me to go further. By now, my class looks like this
using Fuse;
using Fuse.Scripting;
using Uno.UX;
using Uno.Collections;
[UXGlobalModule]
public class Secure: NativeModule
{
static readonly Secure _instance;
public Secure()
{
if (_instance != null) return;
Resource.SetGlobalKey(_instance, "Secure");
AddMember(new NativeFunction("GetParam", (NativeCallback)GetParam));
}
static Dictionary<string, string> loadValues() {
Dictionary<string, string> values = new Dictionary<string, string>();
values.Add("service_endpoint", "http://service.endpoint.domain/api/v2/");
values.Add("api_key", "3287498jdaksjnddaih93hd3iu=");
return values;
}
static object GetParam(Context c, object[] args) {
Dictionary<string, string> values = loadValues();
string Param = (string)args[0];
string _value = "";
if (values.ContainsKey(Param)) {
_value = values[Param];
}
return _value;
}
}
To use this class i just need to add this on the .ux file
<Secure ux:Global="secure" />
And from JS, for example, i can get the API endpoint like this
var Secure = require("secure");
var api_endopint = Secure.GetParam("service_endpoint");
The code above works and now, i don’t have sensitive data inside the JS files. But i think i need some kind of encryption inside the uno class to really secure the contents. it’s just a proof of concept. I’ll continue checking other options. Feel free to suggest
Jonatan
wow, storing sensitive values inside uno class is a great way, they will be native code inside apk and can be protected by proguard, thank you a lot !!!
+1 on Fuse Encryption