This article is deprecated, please read the fresh one here.
This time I am writing about PhoneGap Application security.
There were 2 solutions we could jump into:
- Move to Objective C
Item #1 for our team was complicated and long in time to learn.
app file, and decrypt it in memory on application lunch and put into WebView context. And we have took the second way.
Now let me explain the method, how in theory the encryption is made.
- Script is parsing
- Script is encrypting
AES 256bitencryption and put this file into XCode project as resource (please, note this).
- XCode build is running and generating app-file.
The PhoneGap library was patched to support decoding of the index.html with provided key and load this memory block into WebView. I have shared the modifiew PhoneGap sourcecode at Github. To use it, you should manually build the library from sourcecode and install it. Don't forget, that PhoneGap library now is trying to search for an encrypted "index.html" resource file.
Sure, you need to provide key for patched PhoneGap framework to decrypt your source code.
AppDelegate.m file, add a method:
Here you see, that your's 256bit key is 32
You see the finish
Yes, that is all. Now your's html will be decrypted and loaded into WebView on iApp start, and there will not be files unsecured insude your app.
That is right, that someone can decompile objective c code to find out the key, but this is a bit harder than if you show all your sources from zip.
At the end, maybe you will need a method to encrypt your html file. I have it only for php: