tsonevn
commented
5 years ago From @NathanaelA on December 30, 2018 4:33
Just to correct one error you made; on a rooted device you can access everything!
It doesn't matter what it is built with; NativeScript, Java, Kotlin, Flutter, RN, Swift, ObjC, etc. A Rooted device means you have full access to everything on the device. Btw, this applies to iOS as much as it does Android.
So unless you are able to access a Nativescript app's data folder from another app on a non-rooted phone, I don't believe this is a valid issue... (And since the OS controls who has access during installation, I'm not sure how this can happen on a non-rooted device).
From @smartsanja2013 on December 30, 2018 3:32
Environment nativescript 4.0.1 tns-core-modules 3.3.0 tns-android 4.0.1
Describe the bug I have generated release signed apk using following command.
tns build android --release --key-store-path /Users/me/Desktop/my.keystore --key-store-password android --key-store-alias mykey --key-store-alias-password androidRelease signed apk suppose NOT debuggable. That means should not able to access data/data folder even on a rooted device. When do the penetrate testing I found that the apk is still debuggable. What that means is I can access data/data folder. This leads to security threats. Please advice how to make NON debuggable release apk.
Fyi: I tried to manually set
android:debuggable="false"in Androidmanifest.xml which seems not allowed though.Expected behavior Release apk should not able to access data/data folder
Copied from original issue: NativeScript/NativeScript#6741