I am building Android apps using Phonegap. The apps use rest APIs. But I have serious questions regarding the security of the API keys. I have been looking for answers everywhere, but the issue hasn’t been answered well. As you know, an android apk can be extracted and the Phonegap folder can be reverse engineered. I have these questions/possible solutions regarding the problem :
- Is there a way (maybe plugin) to password protect the “www” folder? So that when someone extracts an apk, there must be a password that is protecting the phonegap files. I extracted many apks and saw this implemented on many Phonegap based apps.
- Is there a way to save the API keys in config.xml and read it using JS?
- Is there a way to securely authenticate a phonegap app without using login authentications like facebook, google, linkedin or twitter? This is in the case of simple apps that do not require login, but still use those APIs
I have used the Javascript obfuscation. But need a more robust option.
Can anyone help out?
2
Answers
The best way to accomplish this is (if you don’t have control over the API). To set up your own server side API That stores your credentials and then use that API to make a request to the other API, then your API can send back the response. Think off it like this.
APP > YOUR API > API > YOUR API > APP
I think
https://github.com/tkyaji/cordova-plugin-crypt-file
plugin might help you around. Still it will decrypt the stuff during run time.
This thread also have a similar topic.
How to encrypt the content assets folder in phonegap android application
Hope this helps. 🙂