What's the mechanism behind crypt-file ? #98
Comments
|
From what I've seen: It's AES (256). The plugin generates a CRYPT_KEY and an IV. If you go to any online decryption website, and try to decrypt your own encrypted code using those 2 keys, your code will be decrypted (I've tried it) You can easily open your APK and find the class "DescryptResource" where you can see these 2 keys. It was fairly easy to decrypt my own code, honestly. That's why, in addition to this encryption (I wouldn't rely too much on it) I've also totally obfuscated my JS code. Two "protections" are better than one (At least I hope they will deter curious users to understand my code or modify it) |
|
Yes. Not that difficult but it does gives some amount of security. Someone might stop fiddling with it as they see the encrypted files. Cryptography is hard to understand for some developers. |
Hello, I have a question for cordova-plugin-crypt-file,
So I know the repository is generating random password at compilation (cordova prepare/ run/build) and using that to encrypt file, I have the following questions:
Can it be a next feature to allow users manually configure these settings like changing the encryption type and level of encryption?
And finally I was wondering how do you store the password? Because every time you open the app, the first thing the app do is to decrypt the files , so I guess the password is stored inside the APK/APP.
Given the hypothesis that the password for decryption is stored inside APK/APP, how is this password being protected/shielded from attacker?
Because if the effort for attacker to decrypt the password is less than the effort for attacker to force decrypt the actual file, the encryption of the file doesn't make much sense then (it will just be a decoration then).
Thank you very much for answering the question.
The text was updated successfully, but these errors were encountered: