It is difficult to say this, but there is no way to make your Ionic app really uncrackable. Once you have completed your app and pass it on to the public, if a hacker, would like to know how your app works, he/she, given time, would be able to crack open your code someway or another. This, perhaps, is the weakness of not only hybrid mobile apps, but any mobile apps in general.
It is akin to passing a tinkerer a cuckoo clock that you have just built. If the tinkerer is competent, he/she would, in due time, find out, what makes your clock ticks.
However, there are ways to make it a little bit difficult for the “tinkerer” to see what is going on behind your app. Here are 5 ways to make your Ionic App more secure.
1. HTTPS versus HTTP
This is already a standard on the latest Android and iOS updates. Unless you are debugging, it is a requirement that any connection to a server to be done via HTTPS. (Note the S at the end, which, obviously stands for secure)
HTTP (without S) connection is vulnerable to exploits and connecting to via HTTP is not recommended.
2. SSL Pinning
Another way to make your app secured, if you need to connect your app to a remote server, is to do an SSL pinning connection.
SSL pinning ensures a secured connection by ‘pinning’ a certificate on both ends.
Basically, if a strange actor tries to connect to the server, without a relevant certificate, or using another certificate altogether, it is impossible to access any service on the server.
This can be done easily with Ionic through several different methods:
Cordova / Phonegap plugin for communicating with HTTP servers. Supports iOS, Android and Browser. This is a fork of…
Sample Ionic + Angular + Capacitor App to test SSL Pinning - ashenwgt/ionic-capacitor-ssl-pinning
3. Source code obfuscation
With Ionic, when building with ‘prod’ and ‘release’ keywords, the codes are automatically minified and uglified, which in some way is already difficult to read for a budding ‘tinkerer’. While difficult, this, of course, does not mean that it is impossible to decipher.
An added layer of security would be to use an obfuscator. To obfuscate means to make something unclear, or, in a way, to make something unintelligible.
Reference for code obfuscating in Ionic:
Ionic (and other hybrid apps) code protection
Code protection is a common (supposed to be) drawback when speaking about hybrid apps. At least on Android, decompiling…
4. Secure local storage
It is best to avoid using local storage at all costs. Try to do processes on the server end. However, there is a need to use local storage to store security tokens. Tokens that are usually used to authenticate communications with the server.
By placing security tokens on local storage, this has the potential to be a huge major flaw that can be exploited by unsavoury actors.
A method that can be used to ensure the security of your local storage is to use secure local storage methods. There are services available either by the Ionic team themselves or by third-party providers who are able to create a secure local storage service for your application.
The Ionic team’s own Offline Secure Storage:
Ionic empowers web developers to build leading cross-platform mobile apps and Progressive Web Apps (PWAs)
This is a premium service by the Ionic team to create a seamless and secured offline/online local storage for your app. Do have a look at the above to make the local storage in your Ionic app more secure as well as other solutions that they have presented such as Auth Connect.
5. Sensitive operations are done on the server
Sensitive operations such as token generation, for example, should be done on the server. This would make your Ionic application more secure because sensitive operations are not done ‘in house’ in the application itself.
By outsourcing sensitive operations, you will have more control over how a sensitive operation is executed and what is being presented in your application, knowing full well that the application only serves as a frame for your clients to have access to your services.
It is assumed that the server is under your control, therefore, it might not be possible for a curious ‘tinkerer’ to come in and have a look at how you do things on your application.
These are just 5 ways of making your Ionic app a little bit more secure. This is a good start but this is, by no means, a definite list. If you have other ideas, please add it into the comments below on how to make your Ionic app more secure.