How to encrypt HTML+JS assets in Android Phonegap

2019-01-13 15:55发布

问题:

I have mobile app created using Phonegap basic wrapper and HTML5. My goal is to encrypt files in assets directory (JS and HTML files) so they are unreadable to people, who unzip the APK file and want to see the JS sources.

Ok, i know there is no absolute perfect solution. On my way to this question I've already tried options how to solve copy protection of my sources (JS minification, obfuscation, etc..), but I found out that it's very simple to get to the original code (using JSBeautifier, firebug, including obfuscated scripts, etc...).

So my question is - is there some simple way how to encrypt JS+HTML files (so they are not readable and useful when simply unzipping APK file) and how to implement it in JAVA for Android platform ?

Note: I have no knowledge of JAVA language, so please include working example which I can use.

Edit: I also investigated ProGuard feature when making final APK package, however it is useless for me, because it only deals with JAVA files, but leaves assets directory as it is.

回答1:

Some time ago I have same problem but on iOS. And the result was only after patching PhoneGap for iOS. I have wrote an article at http://oleksiy.pro/2011/09/20/phonegap-application-encryption/. Also, for Android this method could be weak, because java code could be 99% decompiled, and hacker will see your key.



回答2:

There is no easy way to do this. If you want to encrypt your JavaScript you would need some sort of key to decrypt it with. The key cannot be stored on the device since then it's easy to find the key and decrypt the source code. Iff your application requires a user to login you could possibly return the encryption key once the user is logged in and use that key to decrypt JS and HTML files. There are standard Android encryption libraries that you can use via a PhoneGap plugin.

Having said that, it's just JavaScript so if there is something that you really need to have encrypted you should probably consider changing your approach.



回答3:

The best combination I've found is the DojoToolkit and the Closure Compiler in Advanced Mode.

Closure in Advanced Mode makes JavaScript code almost impossible to reverse-engineer, even after passing through a beautifier. Once your JavaScript code is obfuscated beyond any recognition and any possibility to reverse-engineer, your HTML won't disclose much of your secrets.

This link for using the Dojo Toolkit with the Closure Compiler in Advanced Mode for mobile applications:

http://dojo-toolkit.33424.n3.nabble.com/file/n2636749/Using_the_Dojo_Toolkit_with_the_Closure_Compiler.pdf?by-user=t

And of course the Dojo Toolkit works well with PhoneGap.



回答4:

You can use a webview and load a base64 string:

protected String base64Str = "+wL00h2L....";
wv1.loadData(base64Str, "text/html; charset=utf-8", "base64");