Protecting your application from tampering, reverse engineering, and from IP theft are common concerns for many companies. Hybrid applications can be protected in similar ways to native ones and this usually involves multiple layers of security which can be combined.
Root Kit Detection
To be able to tamper with code, in general you would need to "jailbreak" your device. Detection of this is done through root kit detection code. There isn't a lot of projects that concentrate in this area but one that you will find is the cordova plugin iroot. Jailbreaking or rooting a device is a cat and mouse game of breaking and detection and projects like iRoot may not detect all exploits.
One product worth noting in the space is Geocomply, their primary focus is location based security (usually used for sporting betting and internet gambling applications) but also provide root kit detection and emulator detection.
Production builds will minify code which is a focus on reduction of payload size. While this makes code harder to read, it is not prevent code from being reverse engineered or protect it from alteration. Code obsfucation tools help with this. The following projects provide choice in the area:
- jScrambler - An alternative to the open source project is this paid product which is well supported (if you find a bug they prioritize helping you) and is worked on full time so you can expect its features to be more advanced and hardened.
Native Code Obsfucation
For Android there are options to obsfucate and minify native code. This is done with the minifyEnabled flag set to true (see docs). It is worth noting that some Cordova plugins may not function correctly after this option is applied without adding exceptions in the form of ProGuard rules files.
Other solutions for anti-tampering of iOS and Android apps exist: for example: DexProtector.
SSL pinning is a technique that prevents a "man in the middle" attack, where http traffic is intercepted and recorded or altered. SSL pinning uses your origin servers certificate and validates that it matches when presented to your application.
The cordova advanced http plugin can be used to implement SSL pinning by using its API instead of standard web requests. To do this you will need include the server's certification in your client code (which may be challenging as the certificate in the app code must be updated to avoid certificate expiration).
SSL Pinning is a technique that is used to ensure your API traffic is as secure as possible and isn't inspected or changed during transit. Its security is at the level of how secure the private key of the server certificate is.
Any data stored at rest on the device presents an opportunity for attack. In general, you should avoid storing any sensitive data on the device, but in scenarios where network latency is an issue or working offline is needed, encrypting stored app data is a must. For this Ionic has its Secure Storage product.
Traffic between your app and your API is generally secured using authentication relying on the credentials supplied by a user. Exploitation of your code and data is done easiest when this authentication code layer has not been penetration tested or written and maintained continuously with a focus on security. Ionic provides its Auth Connect product to provide industry standard authentication and reduce your vulnerable authentication code to API calls.
It's worth mentioning that both Apple and Google have invested heavily in biometric technology that is baked into its hardware and hardened beyond what can be done with standard software based encryption. Ionic's Identity Vault product takes advantage of this and beyond biometric authentication it also provides storage of data using your biometric signature.
Security should be done as a layered approach and using biometric encryption provides an additional layer on secure storage that reduces the likelihood of tampering of data at rest.
At Ionic, we provide enterprise solutions to Authentication's most common security challenges with Auth Connect, Encryption at rest with Secure Storage, and Biometric security with Identity Vault. These products sit on top of security frameworks built by companies that handle security full time (eg AWS Cognito, Azure B2C, Apple, Android). For additional security solutions we rely on Ionic Trusted Partners or can provide opinions on third party solutions.
As the landscape for code protection is changing rapidly it is worth doing independent research on third party security products.