It is not obfuscated during Release Build, is this by design?

Foso / Ktorfit

HTTP client generator / KSP plugin for Kotlin Multiplatform (Android, iOS, Js, Jvm, Native, WasmJs)) using KSP and Ktor clients inspired by Retrofit https://foso.github.io/Ktorfit

https://foso.github.io/Ktorfit

Apache License 2.0

1.61k stars 42 forks source link

It is not obfuscated during Release Build, is this by design? #619

Closed samurai-app closed 3 months ago

samurai-app commented 4 months ago

Ktorfit version

1.11.0

What happened and how can we reproduce this issue?

I checked from here because I can't use "Report a security vulnerability".

When I run a release build that has been implemented and obfuscated as shown in the code below, the string is displayed as shown in the screenshot.

Is it according to the specifications that "username" and "password" are visible?

basic {
                credentials {
                    BasicAuthCredentials(
                        username = userName, 
                        password = pass,
                    )
              }
}

screenshot

What did you expect to happen?

Username and Password are invisible or obfuscated

Is there anything else we need to know about?

I use a tool called jadx to check the contents of the release build.

Foso commented 3 months ago

Hi @samurai-app this is an issue for Ktor and not Ktorfit. Ktorfit is only using the Ktor client to do the request. Ktorfit has no knowledge about the credentials that you set to your Ktor Client and it doesn't know where you store your credentials in your code

samurai-app commented 3 months ago

@Foso

Thank you very much for your response to my question. I truly appreciate the time and effort you put into addressing my concern. However, I am still worried about the security risk because, even with obfuscation, the "ktrofit" string would still expose the basic authentication details.

Foso commented 3 months ago

It's good that you are concerned about security, but then I suggest that you don't store your Api credentials in your app code.

Every hardcoded strings in your code will always be visible in the compiled code. You could choose your own obfuscation method for storing the secrets. And deobfuscate them at runtime. But that only makes reverse engineering harder, not impossible. At some point your credentials need to be sent unobfuscated to the server.

You will have the same problems with libraries like OkHttp. Ktorfit is just a network library and not an alternative to ProGuard.

samurai-app commented 3 months ago

I have confirmed that Basic Authentication also works the same in Ktor and that the content is displayed correctly. I have verified that this is not an issue with Ktorfit. I will close this issue.

Thank you.