Moving app off of Adalo

Adalo has been a great starting point for us, and we’ve made the decision to now develop a custom app.

In starting to do so, two questions have come up:

  1. When we export our Users table from Adalo, we get hashes/some encoding of all passwords, and not the raw data. This makes sense for security, but can someone from Adalo please share the algorithm you’re using for hashing passwords? Otherwise, all users will be required to set new passwords rather than having a smooth experience of moving over to the new app with their existing password.

  2. Is it possible to get the iOS App ID and key so that we can update the app in the app store to a new version, rather than creating an entirely new app page (and losing our reviews)?

Thanks!

Hi Tyler,

I think you can ask support about these questions. :slight_smile:

You can’t really directly transfer it. You can let a user copy it with the existing database.

Hi @tmf,

First, Adalo definitely shouldn’t and won’t let you decrypt passwords. That’s basic information security 101. You’ll need to have your users reset their passwords.

Secondly, the iOS app ID, etc. you should be able to get that yourself from Apple. That isn’t Adalo information.

Depending on what platform or developer you’re using, they should be able to do that for you.

2 Likes

Surely it would be possible not to decrpyt the passwords, but to use the same algorythym in the new app so that users can continue to use their passwords?

I’m interested because we may one day move off Adalo into our own hard-coded app.

Agreed with Charlotte! We would never ask for or want the users’ raw passwords.

But using the same algorithm so that users can continue to use their passwords should be possible, if Adalo can supply the algorithm.

Makers on Adalo should be able to truly own the data that exists here so I hope someone from the Adalo team can help!

As Erik mentioned, this would make all passwords on Adalo vulnerable.

Also a note on this.

Passwords are never encrypted, but hashed. This is important to note because hashing is one way and encryption is 2 way.

No platform will ever provide this information externally. If they do, they should not be trusted at all.

3 Likes

OK this is useful to understand and know. Users of a new version will just have to reset their password

Hey Colin, again, we’re not looking to decrypt any passwords. We are simply looking to know the algorithm you’re using to hash passwords.

This would allow a user to type in “thisispassword” to the app, and for us to know on the backend that it matches the hash “ioxodif8s9ewf”, without us ever knowing their password

Does this make sense?

@tmf I think Adalo is saying, if they made that algorithm available to any Adalo customer, all Adalo app users passwords would be vulnerable. So there’s no way other than users resetting their passwords

Yes. Two notes on this:

  1. For clients with Users on adalo, we’ve never seen the switch be an issue. Just tell users you’ve changed tech stacks and request they reset their passwords.
  2. If you dont have users on Adalo, you can use an external collection (we use Supabase). Then, when you make the switch, you keep all of the data (it’s external to Adalo) and connect your custom app to it.
1 Like

I would say this is still not secure, not to mention Adalo will not / should not share the hash, regardless of reasons.

I’d recommend asking users to reset their passwords. We’ve seen it done before (several times). Never a big deal (it causes churn for sure, but that’s mostly natural)

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.