Everyone knows cordova and phonegap uses a webview so the app contains html and js and css files, which means they can be edited.

What i am wondering, is there any way to lock/ make these files not editable once the app is installed on the phone? hide the code in some way ?

Could be great to know much about this, however this should be what app stores should do , hiding the code should be not done by developers i guess, but if you have any trick/idea/ clue please share it!

thank you!

Everyone knows cordova and phonegap uses a webview so the app contains html and js and css files, which means they can be edited.

What i am wondering, is there any way to lock/ make these files not editable once the app is installed on the phone? hide the code in some way ?

Could be great to know much about this, however this should be what app stores should do , hiding the code should be not done by developers i guess, but if you have any trick/idea/ clue please share it!

thank you!

• javascript
• android
• ios
• cordova
• web-applications

• Everything is editable. – Pedro Oliveira Commented Oct 8, 2014 at 17:01
• point the webview at a server-side-written application? – dandavis Commented Jan 14, 2015 at 18:24
• even though it's not a browser, you still don't want to put secrets in "view-source"... – dandavis Commented Jan 14, 2015 at 18:26
• Even java code can be depiled. The hard one to depile and understand is native code. Don't think too much on this, no one is going to use your code! – Ali Commented Jan 16, 2015 at 2:00
• @Ali sure :) its just a couriosity at the end – Filippo oretti Commented Jan 16, 2015 at 10:38

4 Answers 4

You can obfuscate the html,css and javascript files...

Some useful links:

• Three Ways to Encrypt PhoneGap and Cordova Mobile Applications
• Obfuscating JavaScript code in Worklight applications

You have to understand that obfuscate is not encrypt.
Your code can be reversed. But not by lazy programmers.

Since none of the provided answers so far fulfills the requirement for bounty, I can give you the official statement from Cordova project itself:

Do not assume that your source code is secure

Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application.

Also, there is a way to encrypt the code when packaged and then decrypt it when used. Of course this isn't safe either, but provides a little more trouble for hacker. See this blog post about how to implement it on iOS. The same concept, though, is applicable on Android or any other platform. The main point about the security is that the encryption key needs always to be available within the package.

You can minify and obfuscate your code which would make it harder to edit/understand. My favorite is the GUI YUI Compressor for windows. LINK to GUI YUI for Windows

Unchecking Verbose is often a good idea. I have mine set to UTF8 and to preserve semi-colons. It has worked really well for me.

For most cases, obfuscation of the JS files is enough and can be easily done with a tool like gulp (which I remend) or grunt.

However, for critical apps, you can use a native (piled) plugin that wraps your files in an encrypted format that is decrypted when the app starts (which would definitely sacrifice some performance of course)