Kodular APK Security

We mostly do not enter the url manually.
So I would like to suggest that improve the complexity of code.

Lower case letters
Length of code

10-20 minutes time is enough to download.

Allow to download only once.

Yeah that’s something which can be fool proof.

Unless the hacker manages to download before we do :joy:

What will Happen if that so called Hacker Downloads your App.

Might he /she Report some Bugs and Glitches.

They got other works to do.
They will not be there waiting for your Next Build for the Next Update.

Hacker trying to get certainly your .apk in out of 1000 others do not sounds anyway Feasible.


and hacker can also extract paid extensions from the APK

Anyone can do this… It doesn’t have to just be a hacker. I’ll tell you this, when I am done with school tomorrow, I will create a program to guess the links and you will see how long it takes for a valid one to pop up (only if @Kodular is ok with it though).


The code that is needed to download a compiled app from Kodular is a combination of 26 alphabets. Just use the permutations and combinations to calculate how many codes you can generate.

If you repeat alphabets, you will have: 26^6 = 26 * 26 * 26 * 26 * 26 * 26 = 308,915,776 codes.

If you don’t, you will have: 26 * 25 * 24 * 23 * 22 * 21 = 26!/20! = 165,765,600 codes.

Probability is: 1/308,915,776 or 1/165,765,600.

1 Like

Yes it is possible to create simple script that creates random Kodular links and check if its valid. Along with a lot of combinations, who are brave enough to take a risk by installing an unknown app that came from a random Kodular link?


I am done with school and I will begin making it, I brainstormed the idea before going to sleep last night- :moyai:

That is highly possible. Guessing random letters and numbers and stealing APKS are wrong. The easy-guessable links are accessible even outside my Kodular or Gmail Account. They are easily guessable in Incognito windows on browsers like Google Chrome. Also, I might avoid Kodular for now and see how that goes.

1 Like

its not possible

That is true. After an APK file is compiled, the extension gets converted into Java or probably Kotlin code. However, paid extensions can be stolen using an archive program such as WinRAR or 7-zip. Fortunately, AIA files are AI2 Project files which are still safe. AIA files do not have links generated so, they are safe. APK files can also be opened with those two programs I mentioned earlier, but as I also mentioned earlier the extensions and blocks get converted into Java or Kotlin code.

so you dont need to be worry about extraction of paid extension and i agree kodular should reduce the link expiry time

1 Like

Also one thing to note is that back then before any of this, Kodular apk files in my Google Chrome download history would show links on creator.kodular.io with a bunch or letters and numbers. The links were long but would be accessible only be me. MIT App Inventor and other AI2 based platforms generated private links as well, but Kodular has short easy links now hosted on kodular.app that are easy to guess almost like a bit.ly link. The time should be shortened or this feature should be gone. I already host me apps privately with the private Business on Google Drive to there’s no need for a feature like this. Google Drive is free and most people have Gmail Accounts. Kodular supports SSO with Gmail.

So what if the “hacker” guessed the generated link? what he has is an app with no source code, its like saying, I download this app from Play Store so therefore I own it, it doesn’t really make any sense… So far I know the link doesn’t come with the source file of your app… So chill no one is stealing your app.

Source code or not, I do not want my personal apps hosted publicly without my consent. The private business does not want the apps public and I do not want them public either. I am currently not making any apps for the whole world to use. So, the private apps will start having confidential information not meant to be shared. The APK file produces the app itself and that is not something I want stolen. I have to add Tiny DB and a text box to prevent my apps from being pirated and out in the public. It is time consuming. I have sent an email to @Conor and @Diego back in October and I got no response. I have been using Kodular since 2019 and now I am going to avoid it until this feature is either fixed or changed. Here is a picture of what I am talking about.


you are using a public server… so theoretically Kodular itself or a Kodular admin does have access to all the projects…

you probably prefer to use an offline server? then you have everything under control… and you are responsible for the projects by yourself… unfortunately not available for Kodular, but for App Inventor AI2Offline - Browse Files at SourceForge.net
this provides the maximum security for you…



I really don’t think this is anything to worry about. As already mentioned, there are over 300 million possible combinations and it’s almost impossible to guess this in 2 hours. We have also never known this to be abused in the past.


Well, Kodular does not allow its users to build apps that make viruses or anything else wrong. So, some users should be brave but it is hard to know what the app has.

As I am not allowed to create duplicate topics, I still want this feature to either be gone or changed.

yes… thank you
I now moved your post to the correct thread