Is it possible to encrypt app.zip, when I package the windows platform

[MoLeft]

Duplicate Check

• I have searched the opened issues and there are no duplicates

Describe the requested feature

When I packaged the flet for the Windows platform, it successed, and I knew it was pretty cool.
But I found the app.zip in the my_porject/build/windows/data/flutter_assets/app/ directory.
So, when I unzipped the app.zip, I saw the source code of my project.
I think this is very unsafe for my source code.
This means that anyone who opens this software can get my source code.
So, I'm wondering if the flet can encrypt this app.zip, and that's very wonderful.

Suggest a solution

No response

Screenshots

Additional details

No response

[FeodorFitsner]

There is a good discussion: https://stackoverflow.com/questions/261638/how-do-i-protect-python-code-from-being-read-by-users

[MoLeft]

I don't know about this, because I have only tried flet on the Windows platform.

[ap4499]

The SO post is good.

In short, they are right. Every single application can be reverse engineered. However, what SO users sometimes omit imo, is that many methods are easier than others, and often - developers simply want to make it more difficult, and more time consuming for attackers.

My code can be stolen, however.. I would like for an attacker to spend a couple of weeks/months doing so - why? Because it then becomes a trade off as to whether it is easier to just write it themselves.

So.. a few methods:

1. The most obvious, and least investment - is to have Flet create .pyc files, use the "compile app" option:

Control over app compilation and cleanup
flet build command is no longer compiling app .py files into .pyc by default which allows you to defer discovery of any syntax errors in your app and complete the packaging.

You can control the compilation and cleanup with the following new options:

--compile-app - compile app's .py files.
--compile-packages - compile installed packages' .py files.
--cleanup-on-compile - remove unnecessary files upon successful compilation.

https://flet.dev/blog/flet-v-0-25-release-announcement

This will at least hide your source code from being read in a text editor (although, reverse engineering .pyc files is pretty straight forward).

2. Another option, is within your project, compile sensitive code to .so/.dll files - by using Cython. Cython compiled binaries are significantly more time consuming to reverse engineer than .pyc files, and thus - suitable for increasing the difficulty without substantially increasing your workload, as the Python -> Cython step is pretty trivial nower days. Python is also pretty seamlessly integrated with Cython, and you can import packages etc.

3. To go further.. use a compiled language to create binaries, which can be called by Python. I personally use C++, however, Rust is looking quite compelling lately. I haven't actually used native Flutter before, but I assume that Flutter + dart compile to binary in a fundamentally similar way to C++ etc. Generally, your compiled binaries from Cython should be similar in difficulty to reverse engineer - ie. not trivial, so unless you have a reason to be in C++, I would generally recommend Cython if your only aim is to hide algorithms.

My final question would be, what are you trying to do/hide? If you are trying to hide API keys, or other cryptographic elements - they can always be hacked. In my experience, even when compiling with C++, keys etc. are one of the easiest things to extract.. so in short, don't store things like that in your code.

[ap4499]

Also, as Feodor says.. you can't encrpyt the app.zip as you'd have to store the decryption key in the app package.. in short.. it isn't a huge hurdle to overcome tbh.

Even if you stored it on a server, say.. it would be coming down unencrypted.. I mean, every single way that one thinks of doing this, it is just a circular reference.

It is more effort to implement it than it would be to unpick as a hacker.

[Muddassir-Farooq-official]

To secure sensitive logic in a Flet application, you can apply the same approach of using a password-protected ZIP file and dynamically loading code during runtime. Here's how you can integrate this into a Flet-based desktop application:

---

Step-by-Step Guide

1. Create the Password-Protected ZIP

First, package the sensitive code (sensitive_code.py) in a password-protected ZIP file. Use the pyminizip library for this purpose:

import pyminizip

File to protect

source_file = "sensitive_code.py"
zip_file = "secure_code.zip"
password = "securepassword"

Compress the file with a password

pyminizip.compress(source_file, None, zip_file, password, 5)
print("Password-protected ZIP created.")

This creates a secure_code.zip containing your sensitive logic.

---

2. Build Your Flet Application

Create a basic Flet application that extracts the protected code, validates the password, and executes it.

---

3. Implement Logic in Flet

Here’s how you can load and execute the sensitive code at runtime:

import flet as ft
import zipfile
import os
import importlib.util

ZIP_FILE = "secure_code.zip"
PASSWORD = b"securepassword"

Function to extract and execute sensitive code

def extract_and_execute(zip_path, password, page):
try:
# Extract ZIP file content
with zipfile.ZipFile(zip_path) as zf:
zf.setpassword(password)
sensitive_code_path = zf.extract("sensitive_code.py", "temp_folder")

    # Dynamically import and execute the extracted module
    module_name = "sensitive_code"
    spec = importlib.util.spec_from_file_location(module_name, sensitive_code_path)
    sensitive_code = importlib.util.module_from_spec(spec)
    spec.loader.exec_module(sensitive_code)

    # Call a function from the sensitive code
    result = sensitive_code.run_protected_logic()
    page.add(ft.Text(f"Result: {result}"))

    # Clean up temporary files
    os.remove(sensitive_code_path)
    os.rmdir("temp_folder")
except Exception as e:
    page.add(ft.Text(f"Error: {e}"))

Sensitive code file (for demonstration)

Sensitive Code in sensitive_code.py:

def run_protected_logic():

return "This is protected logic. Access granted!"

Flet App

def main(page: ft.Page):
page.title = "Secure Flet App"
page.horizontal_alignment = ft.CrossAxisAlignment.CENTER
page.vertical_alignment = ft.MainAxisAlignment.CENTER

def run_sensitive_code(e):
    extract_and_execute(ZIP_FILE, PASSWORD, page)

page.add(ft.Text("Click the button to access protected logic."))
page.add(ft.ElevatedButton("Run Protected Logic", on_click=run_sensitive_code))

ft.app(target=main)

---

Code Explanation

1. Password-Protected ZIP Extraction:

The extract_and_execute function extracts sensitive_code.py from secure_code.zip using the provided password.

The sensitive code is executed dynamically using Python's importlib.

2. Dynamic Module Execution:

The run_protected_logic() function in sensitive_code.py contains critical business logic, ensuring it's not part of the main application.

3. Flet Integration:

A button in the Flet UI triggers the extraction and execution of the sensitive logic.

4. Cleanup:

Temporary files (sensitive_code.py) and folders (temp_folder) are deleted after execution.

---

How It Works in Flet

The sensitive logic is stored securely in the ZIP file and only accessed at runtime.

Users cannot modify the logic without the correct password.

Flet UI provides a user-friendly interface for executing the protected code.

---

Enhancements for Security

1. Dynamic Passwords:

Fetch the password from a server after user authentication or license validation.

2. Obfuscation:

Use tools like PyArmor or Cython to obfuscate the main application, making it harder to reverse-engineer.

3. Server Validation:

Combine this with server-side validation to ensure the ZIP file is extracted only for authorized users.

4. Encrypt Sensitive Code:

Instead of ZIP, use libraries like cryptography to encrypt/decrypt the sensitive logic.

This method secures sensitive parts of your Flet application while maintaining functionality and user experience.

[ap4499]

@Muddassir-Farooq-official

Is that from an LLM?

In any case, see uncompyle6 and similar for Python decompilation (of .pyc files).

For C/C++, see Ghidra, IDA Pro or similar.

The reason that the approach will not work, is that as Feodor says below, you are using symmetric cryptography. Within a few minutes, using any of the tools above, a user will be able to obtain that password.

[FeodorFitsner]

@ap4499 well said, thanks for chiming in! Just to summarize about encryption, in symmetric cryptography you use the same key for both encrypting and decrypting the "message", so the key should be delivered to the "recipient". In asymmetric cryptography you use public key to encrypt the message and private key to decrypt it. Asymmetric algorithm can also be used for "signing" message. This time you use private key to generate a signature and recipient use public key to verify it. Hope that helps.