I just want to be clear: do you mean that you can use chrome://inspect and still attach to your app that way?
Also, how are you building your app? PhoneGap (or Cordova) CLI or PhoneGap Build?
Finally, it might help to see your config.xml (sans identifying information).
Yes, if i install my app from google play on the cellphone, and then i try to see the content with chrome.inspect, I cant. BUT if i download the apk from google play and install it on x86 emulator in android studio and then run it on the emulator with accessing the emulator from chrome.inspect then i can see my entire source code (www) file even though I had disabled debugging and i it final release. I usually build with android studio. i tested this with other phonegap apps shown of phonegap page and honestly I was able to see all of their source code (www). This huge security issue to be honest and I think people must be aware of it in case they are building something requires high level of security. I was considering writing native plugins in order to handle the sensitive server calls instead of exposing the entire code to the user. As a matter of fact, I was able to hide the content of my source code with CrossWalk cordova plugin, I dont know yet how does it work, or what architecture it uses, but I know that inspector could see my code anymore, not even the html. the drawback is that it add extra 26 mb to the project, I am now considering using Ace plugin in where you can introduce native classes into your project without the need to write custom plugins. however, I would really like to know if you can help me with this.
What's your AndroidManifest.xml file look like? It's possible the debug flag was still on there, even though you built a release version.
While chrome://inspect shouldn't work on a release app (if it does, that's a bug!), and you've used CrossWalk to circument that issue, that's not going to help with security. See, your web content is available to anyone who can download the app. To prove it to yourself, unzip your app's APK, and you'll see all the "www" code.
The moral is this: don't put anything in your app's code that you can't risk the world seeing. This applies not just to PhoneGap apps but to native apps as well (disassembly is a thing).
I actually just Googled this topic and found this discussion. I used phonegap build I had left debugging enabled at phonegap build (not realizing it) and released the apk to playstore. In phonegap build I can click on the debug button and see all the phones that are running my app.
Should I have disabled the debug option at phonegap build before my last build?
P.S. There is nothing in my config.xml related to debug that I can see.
Yes, you should have disabled debug prior to your last build.
At this point you should immediately:
- Disable debugging
- Generate a new build (with new version #)
- Upload your new build to Google so that your users get the updated build
You should also be up front with your users that the app was sending debugging information. If this app involves anything secure (passwords, etc.), the users should take appropriate steps to protect their information and identity.