Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-7553] Android: Source code protection needs to be implemented for Android on V8

GitHub Issuen/a
TypeNew Feature
PriorityCritical
StatusClosed
ResolutionFixed
Resolution Date2012-03-13T13:48:21.000+0000
Affected Version/sRelease 1.8.0.1
Fix Version/sRelease 2.0.0, Release 1.8.2, Sprint 2012-06
ComponentsAndroid
Labelsdr-list
ReporterKevin Whinnery
AssigneeJosh Roesslein
Created2012-02-06T13:43:34.000+0000
Updated2017-03-16T22:08:02.000+0000

Description

Source code is shipped as obfuscated source in Titanium applications for Android. This results in application logic that is significantly easier to reverse engineer. Suggest that similar measures be taken at build time as iOS, where JavaScript code is inlined in a C file and compiled into the application.

Test cases

Create or import a project to use during these tests.

Running application (without protection enabled)

1. Install application to a device. 2. Launch application and verify it works (no file not found errors). 3. Run unzip -l build/android/app.apk 4. Verify in assets/Resources you can see your JavaScript files.

Running application (with protection enabled)

1. In tiapp.xml add a property with name "ti.android.compilejs" set to true. 2. Install application to device. 3. Launch application and verify it works. 4. Run unzip -l build/android/app.apk 5. Verify in assets/Resources there is no JavaScript files.

Deploy application (protection enabled by default)

1. Create a deploy APK from Studio. 2. Run unzip -l app.apk 3. Verify no JavaScript files exist under assets/Resources 4. Install APK to device and verify application works.

Comments

  1. Kevin Whinnery 2012-02-10

    To me this is a good place to start, keeping honest people honest.
  2. Kevin Whinnery 2012-02-14

    thanks for working this one so quickly Josh!
  3. Stephen Feather 2012-02-20

    Does this resolve the problem for BOTH v8 and rhino targets?
  4. Neeraj Gupta 2012-02-20

    Rhino didn't have this problem to start with.
  5. Stephen Feather 2012-02-20

    Neeraj, you can split words all you want, but as it is now, in 1.8.1, if you choose V8 OR rhino in your TIAPP.xml, your tail end is hanging in the wind if you release an android app. Original source code packaged up nice and neat for thieving. It may be a bit obfuscated, not nothing an online tool or two can't clean up. So, I'll ask again. Does this resolve the problem for BOTH V8 and rhino targets? At this point in time, EVERY release APK coming out of 1.8.1 in Titanium has the source code out in the open.
  6. Neeraj Gupta 2012-02-20

    Stephen - Let me rephrase my earlier comment. Rhino already had the mechanism that we implemented recently for V8 to protect the source code. Therefore, an application no longer has to rely on obfuscation for either V8 or Rhino runtime option. Try it out with the latest master or 1.8.2 CI build for both the runtimes and let us know if you see any problem.
  7. leoncin 2012-03-01

    I don't think this issue is well solved. I built a project by "distribute to Android marketplace" with 1.8.2 formal release. The internal javascript files are only BASE64 strings in AssetCryptImpl.java file. The javascript source can be easily decoded. Compared to the decompiled java class files, these javascript files are more easily understandable. Do I miss anything? Or what's wrong with my steps to build a project?
  8. Dietrich Streifert 2012-03-08

    The new source code protection step seems to have an issue with large javascript files. I'm using 126kByte large javascript oo framework (qooxdoo) which breaks the compilation step if property ti.android.compilejs is set to true. Others reported this as well in Q&A: http://developer.appcelerator.com/question/133073/jquery-doesnt-work-after-deploying-to-android-market http://developer.appcelerator.com/question/133006/constant-string-too-long The error message is: 
       
   [ERROR] Error(s) compiling generated Java code
   [ERROR] C:\Documents and Settings\[User]\My Documents\Titanium Studio Workspace\[app]\build\android\gen\com\[name]\test\AssetCryptImpl.java:19: constant string too long
    Please consider enlarging the obviously limited maximum file/string lentgh.
  9. Kevin Whinnery 2012-03-08

  10. Dietrich Streifert 2012-03-08

    @Kevin: wouldn't it be better to change the obfuscator with an automatism which decides on file length if the file is suitable for obfuscation? A warning should state something like "max. file size for obfuscation exceeded: packaging unobfuscated". Or even better: increase the limit (where ever it may be) so large files are also processed?
  11. Josh Roesslein 2012-03-12

    Sent [Pull Request #1648](https://github.com/appcelerator/titanium_mobile/pull/1648) to fix build errors with large JavaScript files.
  12. MAIRDUMONT GmbH & Co. KG 2012-06-28

    Which version of Mobile SDK does/will contain this fix? I can't read that from Josh's [Pull Request #1648](https://github.com/appcelerator/titanium_mobile/pull/1648).
  13. Neeraj Gupta 2012-06-28

    Release 2.1.0
  14. Stephen Feather 2012-06-29

    It is working well in the 2.1.0 builds now.
  15. Lee Morris 2017-03-16

    Closing ticket as fixed.

JSON Source