(!OUTDATED!) Kodular APK Security

That is true. After an APK file is compiled, the extension gets converted into Java or probably Kotlin code. However, paid extensions can be stolen using an archive program such as WinRAR or 7-zip. Fortunately, AIA files are AI2 Project files which are still safe. AIA files do not have links generated so, they are safe. APK files can also be opened with those two programs I mentioned earlier, but as I also mentioned earlier the extensions and blocks get converted into Java or Kotlin code.

so you dont need to be worry about extraction of paid extension and i agree kodular should reduce the link expiry time

1 Like

Also one thing to note is that back then before any of this, Kodular apk files in my Google Chrome download history would show links on creator.kodular.io with a bunch or letters and numbers. The links were long but would be accessible only be me. MIT App Inventor and other AI2 based platforms generated private links as well, but Kodular has short easy links now hosted on kodular.app that are easy to guess almost like a bit.ly link. The time should be shortened or this feature should be gone. I already host me apps privately with the private Business on Google Drive to there’s no need for a feature like this. Google Drive is free and most people have Gmail Accounts. Kodular supports SSO with Gmail.

So what if the “hacker” guessed the generated link? what he has is an app with no source code, its like saying, I download this app from Play Store so therefore I own it, it doesn’t really make any sense… So far I know the link doesn’t come with the source file of your app… So chill no one is stealing your app.

Source code or not, I do not want my personal apps hosted publicly without my consent. The private business does not want the apps public and I do not want them public either. I am currently not making any apps for the whole world to use. So, the private apps will start having confidential information not meant to be shared. The APK file produces the app itself and that is not something I want stolen. I have to add Tiny DB and a text box to prevent my apps from being pirated and out in the public. It is time consuming. I have sent an email to @Conor and @Diego back in October and I got no response. I have been using Kodular since 2019 and now I am going to avoid it until this feature is either fixed or changed. Here is a picture of what I am talking about.


you are using a public server… so theoretically Kodular itself or a Kodular admin does have access to all the projects…

you probably prefer to use an offline server? then you have everything under control… and you are responsible for the projects by yourself… unfortunately not available for Kodular, but for App Inventor AI2Offline - Browse Files at SourceForge.net
this provides the maximum security for you…



I really don’t think this is anything to worry about. As already mentioned, there are over 300 million possible combinations and it’s almost impossible to guess this in 2 hours. We have also never known this to be abused in the past.


Well, Kodular does not allow its users to build apps that make viruses or anything else wrong. So, some users should be brave but it is hard to know what the app has.

As I am not allowed to create duplicate topics, I still want this feature to either be gone or changed.

yes… thank you
I now moved your post to the correct thread


Is anybody still going to post a solution? It is December and Kodular Creator is still on 1.4D.1 Eagle which is built on September 4, 2020. Kodular Creator is a few months outdated and I also need this public link stuff removed as soon as possible. I am using MIT App Inventor now to build my apps to protect my privacy until this public link feature is either changed or removed.

Unless you are using an offline version I don’t see what difference that makes? App Inventor apk links also expire after 2 hours…

I honestly think you are exaggerating. Nobody is going to find the link to your app and even if they do, what are they going to do with it? You can easily get the apk back from an app once it is installed on a user’s device too.


I also think devs have better things to do then work on a thing that is not a problem. Like @Conor said, i also think you are exaggerating the issue. In essence there is no issue.


But they don’t get generated publicly with a short link.

Also, if you remember, some users said that a hacker can build an app either with Kodular or another MIT AI2 based platform to steal APKs. Some are brave because all MIT AI2 Based platforms do not allow any apps that destruct a user’s device. Some users who also buy images online from iStock photo or Vector Stock will have to worry about the paid images extracted from the APK. Includes paid fonts as well and other paid items in digital forms. I cannot even put any sensitive information or anything personal because I was confident that nobody would be able to steal my app before any of this. Back in 2019 I moved from Thunkable X because of it having a public gallery. APK Files can be extracted using programs like 7-zip. I am not going to keep up with this feature. Nobody needs a feature like this. Most people already have Google Drive and other Cloud storage services so why build a feature like this. Google Drive is free and I use it for my apps. If a user suggested this feature, I don’t mean to hurt their feelings by removing it but I think that the feature should be changed with the ability to disable this public link stuff in the creator settings, change the duration, or set permissions. My AIA Files are safe but my APK files are how I run my apps and assets can be extracted.

Actually, this is a BIG HUGE issue to the privacy of my information and my apps along with other Kodular users.

Koders! If you do not like this new public link feature, answer my form/poll here

How? Some users could upload it externally and there is no other defense than using a textbox, tinydb, and a password screen to prevent piracy of my apps. My assets are also defenseless as they can be extracted from the APK. Private is private. If a user wants to make their apps public then they should host it on Google Drive or the Google Play Store. I created a form poll to see if anyone likes this feature or not.

There is no point in this :point_up: statement of your. Adding to what Conor said :point_down:

There is not even need of getting the apk from app. Person who wants to steal the assets(like you mentioned which are in digital forms) can steal them directly from the installed app using some third party tools.

Private is Private! I am not going to let my privacy or private assets be stolen. It is a shame that I have to avoid Kodular because of this. Also, how can I get the app back from a user’s device. I am not a hacker and I cannot create an app that suspiciously controls a users device or does bad activities on it.

So are you going to avoid all the platforms which lets you develop Android app? Because the things I mentioned can happen with any app developed on any platform, even on Android studio. It’s not related specifically to Kodular or to any other similar platforms.

You don’t need to be hacker for doing such things :slightly_smiling_face:

You don’t need to, they are already created.

1 Like