phonegap copy-protection
This is one of my favourite answers from the PhoneGap Google Group by Kerri Shotts. I like it because she encapsulates my thoughts on the matter but does it more eloquently than I could:
Not really. Yes, you can obfuscate it, but I could decode it. You can encrypt it, but that means the key is in your code somewhere, which means I can also unencrypt it. Once I have the device and your bits, I can do anything I want with them.
Remember: the device and OS are not there to protect the app from your users. It's there to protect your users from your app. Totally different side to security.
Keep in mind this is largely true of native apps. Give me a Java or ObjC program and I can work out what it does easily enough as well. Furthermore, in most platforms, all the graphical assets are just regular files, which mean they are easily copied.
This is why there are so many pirated/cloned apps out there. And ultimately, as long as I have the bits to your software, there's nothing you can do about it. All you can do is make it "harder" for the user -- and that level of "hardness" is proportional (if not exponential) to the effort required to make it "harder" for the user. That is, if you make it so that 90% of users can't crack the system, that's one level of difficulty in hardening the app; to then make it so that 99% can't crack it requires a significant leap in programming difficulty.
You can, of course, create on-the-fly decryption routines in native code that read an encrypted www/ folder. If you want to do that, go ahead. (A hacker can still get around it. There's /always/ a way.) Am I willing to go that far? Nope. It's not worth my time or effort, especially when it won't protect me from the ones who are really interested in clobbering me. [Another issue: should PG do this? NO. Only a security expert, and most developers aren't.]
Do I take a pessimistic view on security? Yes. If you distribute the bits, you lose the security. Therefore, if you need the workings of the app to be very secure, those workings should be off-device on a very secure server somewhere behind several very secure firewalls with goodness-knows how much security in between to make sure no one could ever guess how the app is even authenticating to this server.
I say all this simply because I don't believe it is worth the effort for most apps to worry about the fact that the www/ folder is visible and exposed. I'd go so far to say that for 99.99% of apps this is true. Unless you're working in healthcare (and logging sensitive information) or government or banking (with actual banks), you don't need to be worrying about it. And if you are, should you be using PG? Furthermore, should you even be on the mobile device at all? Better in my opinion to be a webapp that has very little client code and is essentially a black box.
If something is valuable enough to be worth protecting people's access too (e.g. authentication details), then putting it into some compiled code that they have is not secure enough.
Otherwise, just what do you have in the HTML, Javascript and CSS that is so valuable? It can't be the code itself, because if they can't copy it they can just look at it, go "oh, that's a good idea" and copy the idea without looking at the code. The good ideas are more valuable than the lines of code, and you can't hide them, this way. In this case, you've made life harder for you to a greater extent than you've made it harder for them.