I'm building an app that allows the user to hide a file within another file. My question is, if the app handles the files reading and decrypting, how safe are the internal methods from discovery?
I have a working prototype and now am wondering if I seriously need to consider doing this with a server to ensure the method is safe. Or wondering if using the advanced minify option would sufficiently obfuscate how it works.
Minifying code will obscure it, but obscurity is not security. All the code will be there on the client side and if someone can figure out how to activate it themselves, they will be able to use it to decrypt anything they like.
Doing it on the server will obscure the code even more (as it's no longer on the client), but once again that is not the same thing as being secure. If it's theoretically possible for the information to be decrypted on the client, it could be reverse engineered or brute forced.
If you want a truly secure option, you should use existing software designed by security experts. Anything you build yourself is unlikely to be truly secure. I've worked in software since 2007 and I would not trust myself to build something truly secure, as I haven't got expertise in building cryptographically secure systems.
What I'm hearing you say is, if the method is on the user's device, it is vulnerable to discovery. If the method is on my server, and the user only sends and recieves files, it's possible to reverse engineer the method unless sufficient cryptographic techniques are taken to ensure comparing the encrypted file and the source file won't yield a solution.
Is that right?
My main advice is not to invent your own cryptography, because it probably won't be fundamentally secure.
It depends on what you're doing - don't do this for secret government documents, you will cause a disaster. But if you're happy to merely obscure something so it's difficult to casually view, and it doesn't matter that much if someone puts in a lot of time and effort and cracks it, then some kind of not-really-secure scrambling scheme might be good enough.
Develop games in your browser. Powerful, performant & highly capable.
Sounds like a server might be my best option. I hear you on the security vs obfuscation piece. Users should just encrypt their files using their encyptian method of choice before hiding them.