DEV Community

Cover image for Ionic + Capacitor Security Tips
Julio Merlo
Julio Merlo

Posted on • Edited on

Ionic + Capacitor Security Tips

For this tips will be use the Obfuscation and Custom Rules approach to enable minify and compress code.

Content

Obfuscation

To obfuscate, you need to find the build.gradle file and enable the property minifyEnabled to true, like this:

release {
   minifyEnabled true
   ...
}
Enter fullscreen mode Exit fullscreen mode

Obfuscation Rules

After that, add the below lines in proguard-rules.pro file:

##############
# Ionic Config
##############
-keep class org.apache.cordova.** { *; }
-keep class org.apache.cordova.camera.** { *; }
-keep class org.apache.cordova.** { *; }
-keep public class * extends org.apache.cordova.CordovaPlugin
-keep class com.ionic.keyboard.IonicKeyboard.** { *; }
##############
# Ionic Config
##############

#########################################################
# Remember to change the com.abc.xyz to your real App id!
#########################################################
-keep class com.abc.xyz.BuildConfig { *; }
#########################################################
# Remember to change the com.abc.xyz to your real App id!
#########################################################

########
# AdmMob
########
-keep class * extends java.util.ListResourceBundle {
    protected Object[][] getContents();
}
-keep public class com.google.android.gms.common.internal.safeparcel.SafeParcelable {
    public static final *** NULL;
}
-keepnames @com.google.android.gms.common.annotation.KeepName class *
-keepclassmembernames class * {
    @com.google.android.gms.common.annotation.KeepName *;
}
-keepnames class * implements android.os.Parcelable {
    public static final ** CREATOR;
}
-keep public class com.google.cordova.admob.**
########
# AdmMob
########

########################################################
# Not sure if needed, found it in several documentations
########################################################
-keep class * extends java.util.ListResourceBundle {
    protected Object[][] getContents();
}
-keep public class com.google.android.gms.common.internal.safeparcel.SafeParcelable {
    public static final *** NULL;
}
-keepnames @com.google.android.gms.common.annotation.KeepName class *
-keepclassmembernames class * {
    @com.google.android.gms.common.annotation.KeepName *;
}
-keepnames class * implements android.os.Parcelable {
    public static final ** CREATOR;
}
########################################################
# Not sure if needed, found it in several documentations
########################################################

################################################
# Rules for Capacitor v3 plugins and annotations
################################################
-keep @com.getcapacitor.annotation.CapacitorPlugin public class * {
    @com.getcapacitor.annotation.PermissionCallback <methods>;
    @com.getcapacitor.annotation.ActivityCallback <methods>;
    @com.getcapacitor.annotation.Permission <methods>;
    @com.getcapacitor.PluginMethod public <methods>;
}
################################################
# Rules for Capacitor v3 plugins and annotations
################################################

################################################
# Rules for Capacitor v2 plugins and annotations
# These are deprecated. 
# But can still be used with Capacitor for now 
################################################
-keep @com.getcapacitor.NativePlugin public class * {
  @com.getcapacitor.PluginMethod public <methods>;
}
################################################
# Rules for Capacitor v2 plugins and annotations
# These are deprecated.
# But can still be used with Capacitor for now
################################################

###########################
# Rules for Cordova plugins
###########################
-keep public class * extends org.apache.cordova.* {
  public <methods>;
  public <fields>;
}
###########################
# Rules for Cordova plugins
###########################

################################################
# Note! this rules add if you use Huawei Plugins
# HMS Settings
################################################
-ignorewarnings
-keepattributes *Annotation*
-keepattributes Exceptions
-keepattributes InnerClasses
-keepattributes Signature
-keep class com.huawei.hianalytics.**{*;}
-keep class com.huawei.updatesdk.**{*;}
-keep class com.huawei.hms.**{*;}
-repackageclasses
################################################
# Note! this rules add if you use Huawei Plugins
# HMS Settings
################################################
Enter fullscreen mode Exit fullscreen mode
NOTE 📝

Remember to check if any other package you use in your project has notes about another rule you must bed. Because use the proguard-rules.pro may break your app if you don't pay attention or omit those rules the author of the package gives you.

Rooted Device Checking

You can achieve these by using the Diagnostic Plugin to check if the device is rooted. Keep in mind that have many other functions if you want to check it.

Detect Jailbreak Phone

Another layer will be to use some library to check if your app is launched on an insecure OS like Jailbreak. I found this library to help prevent the Jailbreak and the documentation for setting it up.

Top comments (1)

Collapse
 
nncl profile image
CauĂȘ Almeida

Great tips. As I'm starting to check similar possible security enhancements in my app, your post fits like a glove.