Closed ugosan closed 7 years ago
renandecarlo
commented
7 years ago The key is needed to encrypt the files upon building. The files would have to be not encrypted for it to generate a key (and encrypt them) on first run, so it doesn't make sense.
ugosan
commented
7 years ago Well, the keys could be re-generated somehow after the first run, replacing the original one, right?
renandecarlo
commented
7 years ago That doesn't make it any harder to decrypt, as the key on the .apk file is what matters. If he can access that it doesn't make sense to change it after the app is run.
ugosan
commented
7 years ago thats true, because the key is being generated at build time and the whole thing is shipped to the user. But there is a way to change the assets at runtime (like code-push does), so in theory we could change both the key AND the encrypted assets. its a little bit harder for a hacker to access the keychain or a local storage than to just unzip the apk file. I'm just trying to think how to protect the source code from the end user, its just too easy to get it right now :)
renandecarlo
commented
7 years ago Still, if the hacker can access .apk it doesn't make sense to change it after it runs. He doesn't even need to run or install the app, he can just unzip the .apk and get the original key. That's why changing it afterwise or encrypting it once again doesn't change anything.
Hi, first of all thank you for making this work public, I think this plugin would be really useful to make disassembling a little bit harder. However, it stores the key and the IV inside the plugin code itself, any hacker with a disassembler would have access to it. Wouldn't be nice if we could generate the keys in runtime (e.g. first use), store it on the device's secure storage and then retrieve the keys from it? Are you guys planning something like that?