Hello,
I just got a expert from Bugv ( https://bugv.io/ ) to test my app, and we also tested the Niotron Obfuscated Text component, and he manage to easily learn our used API, in fact not only there was no difficulty, there wasn’t even any traces that we used obfuscated text component. Can we get more information about this obfuscated text ?
The obfuscated text is not supposed to be 100% secure. But it really should offer some protection.
By the way, this bugv.io is a very nice website. Can you say how much did you pay for the penetration test?
For me it was for free, but you can reach out and ask for price. I am aware obfuscated text is not supposed to be 100% secure, but at least they had to find any trace that we used obfuscated text
First of all, encrypting an API URL or key is not a way of making it secure. As whenever it get called you can easily log that in any HTTP traffic logger tools. (It’s completly pointless, you invited a tester without knowing the fundamentals of the thing you are using)
Produces text, like a text block. The difference is that th etext is not easily discoverable by examining the app’s contents. Use this when creating apps to distribute that include confidential information, for example, API keys.
Warning: This provides only very low security against expert adversaries.
Source: MIT App Inventor Text Blocks
There are plenty of ways to securely transfer data or communicate with servers using API calls. One of the best method is encrypting data (Query Params | Body Params) of using a secured key ( Which you can protect using obfuscated text, but make sure not to transfer/share secured key during api calls.) and AES or any other encryption method. We do have security component available in builder.
For extra security you can even use methods like, Diffie Hellman key exchange, in which you can generate unique security key dynamically on client and server to securely communicate and transfer of data.
Changed Topic Category to Discussion, As it’s not relevant
For AES encryption you can use this script to encrypt and decrypt data before transmitting
AES Encryption Class Compatible with Java and PHP - Jkoder.com
For java side I have build extension to encrypt and decrypt data, If you want I can share you the extension, and php script is given in the link.