Web App with manifest security through javascript and local storage
Question
I want to create a web app over several mobile platforms; it won't be free, but commercial, so the user will have an unlock code that gives access (through remote PHP code) to an index.php page.
This page has a manifest file, so all files that are needed are downloaded to the device's offline storage/cache. Now my doubt is: Is there a chance that the user may copy of all of my HTML/CSS/JS files to another device, and use my non-free offline application elsewhere?
I think the answer is yes, so I want to create a JavaScript security system that will check if a specific value is equal to another value taken from the local SQL or indexed storage.
So the second question is: If the user can't break the JavaScript code because it is well done, can the user also copy the web-related local storage, nullifying my security check?
If so, then on which device, and under which conditions? (every version of Android, jailbroken iOS, etc.)
Thanks for your attention.
1 answers
solution1
2
Everything downloaded to a client must be considered insecure, sharable and scrutinize-able.
There is no way to secure or protect Javascript source or any of the data downloaded. It's just a matter of setting up a proxy such as Fiddler or just copy data from the cache directly (or save the source files from within the browser).
Even going with a private-public key approach won't do as it's rather easy to jump the function used to do the checking.
So yes, all data can be copied and shared and there exist no such thing as unbreakable code :)
This is a classic situation - you need to calculate that there will be some illegitimate use of your software no matter what you do - you can make it more difficult, but not prevent it (especially in the case such as downloaded Javascript).
My 2-cents: Make sure you make a good license and have faith in that most users (?) will be honest and pay for a license. Maybe your license can be user-oriented instead of device-oriented making no need for the user to "break" the security if he wants to use it on another device of his (legal cases usually allow the user to do this anyways, and that's a good thing!) ?
Also, depending on who your target group is, most users do not have the know-how to "break" the security (unless you target developers). As said, you need to pre-calculate a certain risk for this to happen.
Update often, change code around, rename functions, change server API (force updates) - doesn't prevent a security breach, but makes it more painful for a "hacker" to constantly keep up.
You'll win some, you'll loose some. It's just the way it is...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.