TUTORIAL: How to encrypt strings with AES-256



Hi there,

I was looking for a solution in order to encrypt strings in a secure way. I thought about using Taifun AES extension (http://puravidaapps.com/aes.php) but it costs money. So I have implemented something that I want to show you, guys.

That solution is made by using some easy PHP code, so if you aren’t into PHP don’t worry.

You can copy quoted code into text editor and save as .php


PHP Code which I’m using for encryption:


$datos = $_POST;
$string = $datos[‘string’];
$password = $datos[‘pass’];
$method = “AES-256-CBC”;
$iv = $datos[‘iv’];

In that way we can post multiple variables from our aplication. We need to post a:

  • string (that we want to encrypt), :relieved:
  • a password, :sunglasses:
  • seed or initialization vector (that is a 16 bytes random stuff in order to make unique our encrypted string, but it can’t decrypt itself the string so we can store it).

Also, if we want, we can change method of encryption to which you can see in that page: http://micmap.org/php-by-example/manual/es/function.openssl-get-cipher-methods.html

$encrypt = openssl_encrypt($string, $method, $password, 0, $iv);

That’s how we encrypt stuff, with openssl.

echo $encrypt;


PHP Page answers with “echo”, that is the ecrypted string.

The aplication only needs to make a POST to URL in Internet where PHP file is contained. That URL that looks like this: thedude.esy.es/AES/AE3.php (That is my personal website, you can use it if you want). If you try to go to this URL with Internet browser you will get an error like this:

That’s because the browser didn’t post variables which are used by PHP code (we will post them from web component in Thunkable), so it considers password as “” (nothing), string as “” (nothing), and iv (seed) as “” but that is Dangerous (Seed must always BE.)

So, we can build something like this:

Besides, we need to configure POST settings, so we join string=[FROM TEXT BOX]&pass=[FROM TEXT BOX]&iv=[FROM TEXT BOX].

I use “Obfuscated Text” in order to provide some extra security but it is not necessary.

Finally, we get a answer from the page. We are interested in “responseContent” as it is the string that we have encrypted.


We can use almost same PHP code for the decryption.


$datos = $_POST;
$string = $datos[‘string’];
$password = $datos[‘pass’];
$method = “AES-256-CBC”;
$iv = $datos[‘iv’];

$decrypt = openssl_decrypt($string, $method, $password, 0, $iv);

echo $decrypt;


We need to post encrypted string, password, and seed. Like before.

URL for Decryption PHP: http://thedude.esy.es/AES/AE3D.php

Now blocks look like this:


If all went well, we will get a answer with the decrypted string.

That’s a DEMO video that I have made: https://www.youtube.com/watch?v=nzguShpaHNI

Here is the PHP which I used: https://drive.google.com/file/d/0B2ktAOamvgjtSEJLOGtxZ29xMlk/view?usp=sharing

Here is the .AIA File: https://drive.google.com/open?id=0B2ktAOamvgjtOGMzQXlqYWpfeTQ

You can upload them to an hosting service like Hostinger, that is free. Or use my website, I don’t care :wink:

The only weak point is that it requires Internet connection, and you can’t make the trick by saving .php in assets and accessing later, because .php is a “server side” file and it won’t work… but is a solution that I have found for App Inventor, in Thunkable and very others systems, without any extension.




Thanks for sharing this


Hey @Ahmad_Saleh thank you for sharing.
I know it’s a old post, but I would like to know if any of you thunkers have implemented this on Thunkable X ? I know this post is for the classic one, which I am not into it, but it seems possible to rewrite the block in Thunkable X. Anyone?