This question is locked. New answers and comments are not allowed.
hi,
I'm just about starting a new mobile project, and I'm interested in how the matter of "closing" the source-codes goes.
please refer to: http://www.icenium.com/community/forums/feedback-and-suggestions-/close-my-app-source-code-
do the paid plans already offer that source bundling option you mentioned, that possibly do not extract the sources to the filesystem and also disable the LiveSync (via android-hard-menu button) option?
and how about encrypting / obfuscating / uglifying the sources inside the apk? (if I unzip my apk I can extract the sources, you know).
I'm not in a hurry for now. I'm analysing my development options for the new project, but I'm totally decided to use some cross-target SDK (iOS/Android) like Cordova/PhoneGap, and Icenium is still at the top of the list.
if the features are not ready, I just need a hint about how soon (or later) would they come.
also, I'm very interested in using barcode scanning. I know that this is not ready, and this is not a stopper for my project. but would be helpful if available. :)
thanks in advance,
I'm just about starting a new mobile project, and I'm interested in how the matter of "closing" the source-codes goes.
please refer to: http://www.icenium.com/community/forums/feedback-and-suggestions-/close-my-app-source-code-
do the paid plans already offer that source bundling option you mentioned, that possibly do not extract the sources to the filesystem and also disable the LiveSync (via android-hard-menu button) option?
and how about encrypting / obfuscating / uglifying the sources inside the apk? (if I unzip my apk I can extract the sources, you know).
I'm not in a hurry for now. I'm analysing my development options for the new project, but I'm totally decided to use some cross-target SDK (iOS/Android) like Cordova/PhoneGap, and Icenium is still at the top of the list.
if the features are not ready, I just need a hint about how soon (or later) would they come.
also, I'm very interested in using barcode scanning. I know that this is not ready, and this is not a stopper for my project. but would be helpful if available. :)
thanks in advance,
3 Answers, 1 is accepted
0
Hi wee,
Stefan Dobrev
the Icenium team
Share feedback and vote for features on our Feedback Portal.
Want some Kendo UI online training - head over to Pluralsight.
Thanks for taking the time and evaluating Icenium for your mobile development needs. Regarding your questions please find my answers bellow:
- If you build your application in Release mode (when you publish it for store submission for example) LiveSync is disabled.
- Source obfuscation/minification is something that has already been requested by our community. Please go to our feedback portal and vote for it and we will prioritize it according to the votes it gets.
- Barcode scanner plugin support is coming in our next public release expected in the first half of February.
Stefan Dobrev
the Icenium team
Share feedback and vote for features on our Feedback Portal.
Want some Kendo UI online training - head over to Pluralsight.
0
wee
Top achievements
Rank 1
Rank 1
answered on 29 Jan 2013, 12:48 AM
Stefan,
it's great to know that the barcode support may come so soon! it might be just in time to use it in my project. awesome!
now... about the obfuscation matter, maybe you can help me with if I explain the problem properly: imagine I want my app to call some third-party http API like twitter, that uses a pair of keys to sign my requests.
if I embed my keys right into my app source, someone could just open the apk and get them easily.
then, as an alternative, I thought about *not* embedding my keys in my app but getting them from my server everytime the app is started. so... the keys would be just in memory and could not be inspected right from the device. but someone could just follow the source scripts and find the url to get the keys.
then, I thought about obfuscating my javascripts to make getting the url and interpreting the data transfered a little harder. but still, someone really interested in reversing the code and getting the keys would eventually be sucessful with a javascript debugger and a lot of patience.
today, the only way I see to protect my keys would be storing then at my webserver, and making the requests right from it, so my mobile app would request something to my server and then it would do the job.
but this is not really interesting, because I could save my server from all the network traffic (in and out) if my mobile app could talk directly the thrid-party server.
do you have any suggestion or record about anyone with the same problem? is there any blueprint, pattern, good practice and something that solves this demand? hiding / securing keys or sensitive information into the app?
thanks in advance!
it's great to know that the barcode support may come so soon! it might be just in time to use it in my project. awesome!
now... about the obfuscation matter, maybe you can help me with if I explain the problem properly: imagine I want my app to call some third-party http API like twitter, that uses a pair of keys to sign my requests.
if I embed my keys right into my app source, someone could just open the apk and get them easily.
then, as an alternative, I thought about *not* embedding my keys in my app but getting them from my server everytime the app is started. so... the keys would be just in memory and could not be inspected right from the device. but someone could just follow the source scripts and find the url to get the keys.
then, I thought about obfuscating my javascripts to make getting the url and interpreting the data transfered a little harder. but still, someone really interested in reversing the code and getting the keys would eventually be sucessful with a javascript debugger and a lot of patience.
today, the only way I see to protect my keys would be storing then at my webserver, and making the requests right from it, so my mobile app would request something to my server and then it would do the job.
but this is not really interesting, because I could save my server from all the network traffic (in and out) if my mobile app could talk directly the thrid-party server.
do you have any suggestion or record about anyone with the same problem? is there any blueprint, pattern, good practice and something that solves this demand? hiding / securing keys or sensitive information into the app?
thanks in advance!
0
Hello Wee,
Authenticating through OAuth works relatively well for server-to-server authentication, but it is obviously a security problem for mobile and desktop applications. In reality it is not as bad as it sounds, but the problem is how the service you are accessing is using the key and if they intent on banning abused keys. In the case of Twitter the only way to access the Twitter REST API v1.1 is through user authorization.
Share feedback and vote for features on our Feedback Portal.
Want some Kendo UI online training - head over to Pluralsight.
Authenticating through OAuth works relatively well for server-to-server authentication, but it is obviously a security problem for mobile and desktop applications. In reality it is not as bad as it sounds, but the problem is how the service you are accessing is using the key and if they intent on banning abused keys. In the case of Twitter the only way to access the Twitter REST API v1.1 is through user authorization.
If you bundle keys with the desktop or mobile app, open source or not, it is possible to access them. Since services like Twitter force us into using OAuth-only API, we have the two options you already found:
- setup an auth proxy service for your application
- bundle keys with the app
The former is more difficult and costly, not necessarily maintainable for small and open source apps.
The latter means that the app may and will be blocked, once the spammers steal the keys.
Keep in mind that if someone has enough knowledge to debug your program and extract your key, they likely know how to do more than that and you could very well be wasting your time trying to lockdown further.
If you want to read some more about OAuth authentication problems and the Twitter story you can visit this link.
Ilian Iliev
the Telerik teamShare feedback and vote for features on our Feedback Portal.
Want some Kendo UI online training - head over to Pluralsight.