(!OUTDATED!) Kodular APK Security

cje9604 · November 17, 2020, 7:47pm

That is true. After an APK file is compiled, the extension gets converted into Java or probably Kotlin code. However, paid extensions can be stolen using an archive program such as WinRAR or 7-zip. Fortunately, AIA files are AI2 Project files which are still safe. AIA files do not have links generated so, they are safe. APK files can also be opened with those two programs I mentioned earlier, but as I also mentioned earlier the extensions and blocks get converted into Java or Kotlin code.

M_Ali09 · November 17, 2020, 7:49pm

so you dont need to be worry about extraction of paid extension and i agree kodular should reduce the link expiry time

cje9604 · November 17, 2020, 7:55pm

Also one thing to note is that back then before any of this, Kodular apk files in my Google Chrome download history would show links on creator.kodular.io with a bunch or letters and numbers. The links were long but would be accessible only be me. MIT App Inventor and other AI2 based platforms generated private links as well, but Kodular has short easy links now hosted on kodular.app that are easy to guess almost like a bit.ly link. The time should be shortened or this feature should be gone. I already host me apps privately with the private Business on Google Drive to there’s no need for a feature like this. Google Drive is free and most people have Gmail Accounts. Kodular supports SSO with Gmail.

velokirapthor · November 18, 2020, 12:11am

So what if the “hacker” guessed the generated link? what he has is an app with no source code, its like saying, I download this app from Play Store so therefore I own it, it doesn’t really make any sense… So far I know the link doesn’t come with the source file of your app… So chill no one is stealing your app.

cje9604 · November 18, 2020, 12:26am

Source code or not, I do not want my personal apps hosted publicly without my consent. The private business does not want the apps public and I do not want them public either. I am currently not making any apps for the whole world to use. So, the private apps will start having confidential information not meant to be shared. The APK file produces the app itself and that is not something I want stolen. I have to add Tiny DB and a text box to prevent my apps from being pirated and out in the public. It is time consuming. I have sent an email to @Conor and @Diego back in October and I got no response. I have been using Kodular since 2019 and now I am going to avoid it until this feature is either fixed or changed. Here is a picture of what I am talking about.

Taifun · November 18, 2020, 12:43am

you are using a public server… so theoretically Kodular itself or a Kodular admin does have access to all the projects…

you probably prefer to use an offline server? then you have everything under control… and you are responsible for the projects by yourself… unfortunately not available for Kodular, but for App Inventor AI2Offline - Browse Files at SourceForge.net
this provides the maximum security for you…

Taifun

Conor · November 18, 2020, 9:46am

I really don’t think this is anything to worry about. As already mentioned, there are over 300 million possible combinations and it’s almost impossible to guess this in 2 hours. We have also never known this to be abused in the past.

cje9604 · November 18, 2020, 3:21pm

Well, Kodular does not allow its users to build apps that make viruses or anything else wrong. So, some users should be brave but it is hard to know what the app has.

cje9604 · November 20, 2020, 10:36pm

As I am not allowed to create duplicate topics, I still want this feature to either be gone or changed.

Taifun · November 20, 2020, 11:29pm

yes… thank you
I now moved your post to the correct thread

Taifun

cje9604 · December 5, 2020, 4:17pm

Is anybody still going to post a solution? It is December and Kodular Creator is still on 1.4D.1 Eagle which is built on September 4, 2020. Kodular Creator is a few months outdated and I also need this public link stuff removed as soon as possible. I am using MIT App Inventor now to build my apps to protect my privacy until this public link feature is either changed or removed.

Conor · December 5, 2020, 4:32pm

Unless you are using an offline version I don’t see what difference that makes? App Inventor apk links also expire after 2 hours…

I honestly think you are exaggerating. Nobody is going to find the link to your app and even if they do, what are they going to do with it? You can easily get the apk back from an app once it is installed on a user’s device too.

Peter · December 5, 2020, 4:41pm

I also think devs have better things to do then work on a thing that is not a problem. Like @Conor said, i also think you are exaggerating the issue. In essence there is no issue.

cje9604 · December 5, 2020, 4:59pm

But they don’t get generated publicly with a short link.

cje9604 · December 5, 2020, 5:12pm

Also, if you remember, some users said that a hacker can build an app either with Kodular or another MIT AI2 based platform to steal APKs. Some are brave because all MIT AI2 Based platforms do not allow any apps that destruct a user’s device. Some users who also buy images online from iStock photo or Vector Stock will have to worry about the paid images extracted from the APK. Includes paid fonts as well and other paid items in digital forms. I cannot even put any sensitive information or anything personal because I was confident that nobody would be able to steal my app before any of this. Back in 2019 I moved from Thunkable X because of it having a public gallery. APK Files can be extracted using programs like 7-zip. I am not going to keep up with this feature. Nobody needs a feature like this. Most people already have Google Drive and other Cloud storage services so why build a feature like this. Google Drive is free and I use it for my apps. If a user suggested this feature, I don’t mean to hurt their feelings by removing it but I think that the feature should be changed with the ability to disable this public link stuff in the creator settings, change the duration, or set permissions. My AIA Files are safe but my APK files are how I run my apps and assets can be extracted.

cje9604 · December 5, 2020, 6:45pm

Actually, this is a BIG HUGE issue to the privacy of my information and my apps along with other Kodular users.

Koders! If you do not like this new public link feature, answer my form/poll here

cje9604 · December 5, 2020, 6:57pm

How? Some users could upload it externally and there is no other defense than using a textbox, tinydb, and a password screen to prevent piracy of my apps. My assets are also defenseless as they can be extracted from the APK. Private is private. If a user wants to make their apps public then they should host it on Google Drive or the Google Play Store. I created a form poll to see if anyone likes this feature or not.

Vaibhav · December 5, 2020, 7:04pm

There is no point in this statement of your. Adding to what Conor said

There is not even need of getting the apk from app. Person who wants to steal the assets(like you mentioned which are in digital forms) can steal them directly from the installed app using some third party tools.

cje9604 · December 5, 2020, 7:06pm

Private is Private! I am not going to let my privacy or private assets be stolen. It is a shame that I have to avoid Kodular because of this. Also, how can I get the app back from a user’s device. I am not a hacker and I cannot create an app that suspiciously controls a users device or does bad activities on it.

Vaibhav · December 5, 2020, 7:15pm

So are you going to avoid all the platforms which lets you develop Android app? Because the things I mentioned can happen with any app developed on any platform, even on Android studio. It’s not related specifically to Kodular or to any other similar platforms.

You don’t need to be hacker for doing such things

You don’t need to, they are already created.