DroidScript Code Protection Concerns

[Ferhat]

I developed an app using DroidScript that reached over 400,000 downloads on the Play Store. Later, I removed the app from the Play Store for various reasons. However, after taking it down, I continued receiving many emails from former users about the app. During this time, I noticed that multiple clones of my app were being published on the Play Store, and each time I contacted Google to have them removed.

Now my question is: Is there any way to hide the source code of projects developed with DroidScript? Or are there any planned security or protection measures for this in future updates? Because the fake apps were able to directly access my source code.

[DogPlanner GSS]

Dear Ferhat,

400.000 downloads are a lot! Could you give us pls little more information about your app? What is the function of this? Is it game or useful instrument? It is very interesting, it is not easy to develop such a necessary application!

As we know many-many app downloads are being achieved through advertising or another marketing operations? What did you perfom e.g. forum advertising, social media etc. or just correctly written description? How to get information to users?

Thank you in advance! Have a nice day.

Best regards

Dmitry

вторник, 28 апреля 2026 г. в 17:53:55 UTC+3, Ferhat:

[Alan Hendry]

HI,

When you build your app there is a checkbox to Obfuscate.Code.

That is designed to make it harder for anyone to see your code in AAB.

Regards, ah

[Ferhat]

Hi,

Thanks for the suggestion. However, I think the “Obfuscate Code” feature only applies to JavaScript files. I usually develop projects using HTML, CSS, and JavaScript, and even if the JavaScript code is obfuscated, the HTML and CSS remain visible, which still causes an issue. I guess there’s nothing that can be done about that.

Regards

1 Mayıs 2026 Cuma tarihinde saat 11:43:10 UTC+3 itibarıyla hendr...@gmail.com şunları yazdı:

[Ferhat]

Hi,

I don’t know, but when I’m going to build a project, I usually first analyze the market and then ask myself, “Why would people use my app?” I choose things that are different and better. I usually develop applications using HTML, CSS, and JavaScript. The projects I build can imitate native UI very well, to the point where users don’t even realize it’s a web app. I integrate them into a WebView and handle data operations with DroidScript.

Regards

3 Mayıs 2026 Pazar tarihinde saat 14:14:13 UTC+3 itibarıyla Ferhat şunları yazdı:

[Alan Hendry]

HI,

If they are in cleartext then you could suggest encrypting them to the development team.

There should be a thread on Google Groups (what we want).

There's also app.CreateCrypt, 

You could write a small app with a password to encrypt files,

then in your main app decrypt with the same password.

For webview then (just) read, decrypt, web.LoadHtml.

For CSS youd need to decrypt to a file (perhaps in a private folder)

then reference that in html.

Regards, ah

[Ferhat]

Hi,

In my projects, I need to add a lot of CSS code and fine-tune everything as smoothly as possible in order to achieve a native UI look. In my previous project, there were over 6,000 lines of CSS and many separate CSS files. In my current project, there are more than 20 CSS files. Encrypting each of them and then decrypting them again doesn’t seem like a good idea. In fact, it can sometimes even increase complexity. That’s why it would be great if DroidScript had an automatic CSS encryption feature for AAB files. I like DroidScript. My main interest is JavaScript, so using DroidScript makes data storage and handling very fast for me. I hope such a feature will be added in the future.

BTW, Thank you for your help.

Regards

3 Mayıs 2026 Pazar tarihinde saat 14:56:07 UTC+3 itibarıyla hendr...@gmail.com şunları yazdı:

[Alan Hendry]

HI,

Iif you have a HTML project (not a Native project) 

I would hope that your main html file is obfuscated.

Ditto for any additional js script files in a native project.

Regarfs, ah

 

[DogPlanner GSS]

Dear Ferhat,

thank you very much for your answer! It is very important as I understand to analyse market before app development, to find the strong and interesting solutions to stand out from other apps offered on platforms. 

What do you think is more important - good idea and correct work of the new app, or active promotion the app at the second step after publishing it. Is it possible to achieve this great number of downloads without aggressively promotion the app by posting the information on various forums and social networks.

In our practice our first app was published at the Google play (and then at AppGallery, and another local platforms) in 2020 year and since it was achieved may be 3000 downloads. Moreover, at the first, a lot of work was done to post info in social networks and forums. There was a lot of irritation from group owners. And we haven't reached even 10000 downloads in 5 years.

Thank you very much in advance!

Have a nice day.

Best regards

Dmitry

воскресенье, 3 мая 2026 г. в 20:29:30 UTC+3, hendr...@gmail.com:

[Dave]

It's difficult to protect apps from duplication, even pure Java apps can be duplicated and/or decompiled quite easily.

Once solution I have used in the past is to check the app's APK signature at runtime and check it matches your own signature.  This means that the person duplicating your obfuscated code has to take extra effort to find where you are calling this check (in the obfuscated code) and not just copy all your assets and dump them into a new app.

I did that signature check in the 'old days' before google started signing our apps for us, so it might be slightly more complicated now as you would probably need to upload an alpha with a button to show the signature used by google, then put that into the code of your next beta release.

This would probably stop unsophisticated cloners, but not determined hackers, especially as AI could help them find and eliminate the security checks :(

[Ferhat]

Hi Dave, Thank you for your reply.

I was actually wondering if you could add support for encrypting CSS code as well. When DroidScript generates an AAB file, it can encrypt my JavaScript code, but the CSS files remain completely exposed.

7 Mayıs 2026 Perşembe tarihinde saat 21:17:10 UTC+3 itibarıyla Dave şunları yazdı:

[Dmitry Gavryushin]

Dear Ferhat,

It is incredible! 400000 downloads Wow! Could you pls describe what is the function of your app? Why is it so popular in Google play? Is it game or useful instrument?

Thank you very much in advance.

Have a nice day.

Best regards

Dmitry

вторник, 28 апреля 2026 г. в 17:53:55 UTC+3, Ferhat:

I developed an app using DroidScript that reached over 400,000 downloads on the Play Store. Later, I removed the app from the Play Store for various reasons. However, after taking it down, I continued receiving many emails from former users about the app. During this time, I noticed that multiple clones of my app were being published on the Play Store, and each time I contacted Google to have them removed.

[Dave]

Hmmm...

If your app is an SPA (single page application) and does not load different pages during use, then it might be able to encrypt your whole site and add them to your assets, then extract during startup and immediately delete them once all the files are loaded into the WebView.

Ideally, fetch an online key to do the decryption and use a formula or table to rotate the key according the usage count or current date/time.

That's the best I can think of off the top of my head.

[Symbroson]

You can intercept loading of html assets and add them to the document via js.

I hacked together a very basic demo in the attachments. If you comment out the 'addEventListener("DOMContentLoaded", load);' only the standard HTML demo should be displayed.

Note that this is not production ready and needs further refinement as well as the actual encryption method i.e. via app.CreateCrypt or an external encryption method. It wotks with this simple site but it may be more difficult with complex sites. 

Basically you add this script to your html header before all other resources:

<head>
<meta name="viewport" content="width=device-width">

<script src="ds:/Sys/app.js"></script>

<script>
const dec = s => s; //atob(s);

async function load()
{
   const appUri = app.RealPath(app.GetPath());
   for(const e of document.querySelectorAll("[decrypt]"))
   {
      let url = e.src || e.href;
      if(url.startsWith("file://"))
         url = url.replace("file://" + appUri + '/', '')

      const t = app.ReadFile(url);

      if(e.tagName == "SCRIPT")
      {
         const s = document.createElement("script");
         s.textContent = t;
         document.head.appendChild(s);
      }
      else
      {
         const s = document.createElement("style");
         s.textContent = t;
         document.head.appendChild(s);
      }
   }
}

addEventListener("DOMContentLoaded", load);
</script>

<script decrypt src="./index.js"></script>
<link decrypt rel="stylesheet" href="./index.css">

</head>