Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

Encrypting and/or protecting assets within your app
Started by BeyondtheTech Apr 26 2013 07:10 AM

- - - - -
12 replies to this topic
[TOPIC CONTROLS]
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

BeyondtheTech

[GLOBAL: userInfoPane.html]
BeyondtheTech
  • Contributor

  • 477 posts
  • Corona SDK

Code'n'Web came out with a recent update for TexturePacker (not affiliated with software or developer) which allows Cocos2D developers the ability to encrypt their app's assets, since it's fairly simple for an average user to take the IPA file from the App Store, rename it to a ZIP, then unzip the contents for their own illegitimate use.

 

See here for more information: http://www.codeandweb.com/texturepacker/contentprotection

 

I was wondering if Corona SDK could also implement a form of global encryption of all internal assets during the binary building process, perhaps a key value to put in the build.settings file so it would automatically encrypt everything against that key, to which it would decrypt all files on the fly during program execution on the device.

 

Similarly, I am hoping for some global method of encryption for files created in System.DocumentsDirectory so that flags and variables for in-app purchases and player stats are protected against hacking and manipulation by an ambitious end-user.  As you are all aware now, any files you save using the standard load/save JSON table code are subject to easy manipulation by anyone who can access the files in iTunes or iPhone Explorer/PhoneView, unless some additional checks and balances are manually put in place.

 



[TOPIC: post.html]
#2

SegaBoy

[GLOBAL: userInfoPane.html]
SegaBoy
  • Contributor

  • 635 posts
  • Corona SDK

+100

 

Have you put it up on the Corona Feedback system?



[TOPIC: post.html]
#3

BeyondtheTech

[GLOBAL: userInfoPane.html]
BeyondtheTech
  • Contributor

  • 477 posts
  • Corona SDK

[TOPIC: post.html]
#4

thy.toeung

[GLOBAL: userInfoPane.html]
thy.toeung
  • Enthusiast

  • 66 posts
  • Corona SDK

Huge thing for me! Added my votes!



[TOPIC: post.html]
#5

thodah11

[GLOBAL: userInfoPane.html]
thodah11
  • Enthusiast

  • 45 posts
  • Corona SDK

[TOPIC: post.html]
#6

bjsorrentino

[GLOBAL: userInfoPane.html]
bjsorrentino
  • Veteran

  • 8,506 posts
  • Corona SDK

Hi all,

 

Thanks for putting in your feedback. On this note, however, I believe there are some 3rd-party iOS tools that make it easy to access an app's files, exposing all of the extracted files, thus defeating the purpose of encrypting them in the first place. Android doesn't have this issue unless it's rooted. Because of this, it might not be worth encrypting your assets.

 

When it comes to issues like this, I tend to think "where there's a will, there's a way". If somebody wants your app assets badly enough, they'll probably find a way to get them.

 

 
Best regards,
Brent


[TOPIC: post.html]
#7

thy.toeung

[GLOBAL: userInfoPane.html]
thy.toeung
  • Enthusiast

  • 66 posts
  • Corona SDK

Yes, if there's a will there's a way. But protecting against casual "hackers" is a different scenario than people that figure out new jailbreak methods.

 

I was thinking you could just encrypt the images, as those are really the visual "style" of your game. Sure, people could do lots of screenshots - but again, we're about protecting against casual hackers, not dedicated people.

 

Thy



[TOPIC: post.html]
#8

BeyondtheTech

[GLOBAL: userInfoPane.html]
BeyondtheTech
  • Contributor

  • 477 posts
  • Corona SDK

I'm still also concerned about the save files we create. If someone looks at a save file (which is usually a JSON table totally editable in TextEdit or Notepad) and can tell which variables or valuse gets changed when an in-App Purchase takes place, we'd be seriously losing that revenue, or worse, end up eating a big loss when we are expected to fund the costly services of Corona Cloud or PubNub with those customer purchases.

Having it scrambled and checksum'ed will ensure the integrity of the save game data.

[TOPIC: post.html]
#9

thy.toeung

[GLOBAL: userInfoPane.html]
thy.toeung
  • Enthusiast

  • 66 posts
  • Corona SDK

For save files, you have some options:

1) Use SQLite for your data. Little harder to get to because its in a binary blob that you need an interpreter for.

2) Encrypt the string before you place it into the JSON. Then, it's encrypted in the text file.

3) Encrypt the string, and then save the JSON to SQLite. :)

 

I just use #1 right now, as its difficult to tell that its a sql database if you name the database file something innocent.

 

Thy



[TOPIC: post.html]
#10

thodah11

[GLOBAL: userInfoPane.html]
thodah11
  • Enthusiast

  • 45 posts
  • Corona SDK

Some global method of encryption should be relativly easy to add to Corona and that would really help as many developers don't want they game assets spread all around. Android is no safer than IOS. Count on rooted phones.

Would be really helpfull and usefull if this was provided by the SDK.



[TOPIC: post.html]
#11

renato.bugge

[GLOBAL: userInfoPane.html]
renato.bugge
  • Contributor

  • 100 posts
  • Corona SDK

Some global method of encryption should be relativly easy to add to Corona and that would really help as many developers don't want they game assets spread all around. Android is no safer than IOS. Count on rooted phones.

Would be really helpfull and usefull if this was provided by the SDK.

You can check out the AESlua which is quite fast with the new bitOp pluging:

 

http://forums.coronalabs.com/topic/28934-corona-resource-centre-tutorials-templates-and-more/?view=getnewpost

 

AES is probably the most secure encryption for lua at the moment.



[TOPIC: post.html]
#12

lessmsios

[GLOBAL: userInfoPane.html]
lessmsios
  • Contributor

  • 170 posts
  • Corona SDK

Perhaps adding PASSWORD support to the recent zip/unzip plugin would be helpful.

 

:)



[TOPIC: post.html]
#13

toby2

[GLOBAL: userInfoPane.html]
toby2
  • Contributor

  • 166 posts
  • Corona SDK

Simply:

 

1. Use a UUID for the device.

 

2. Use HMAC to create a hash using some secure value, the UUID and a secret key.

 

3. Store the HMAC alongside the cleartext, and require agreement before unlocking whatever your data represents, an IAP entitlement, a high score, whatever. If the hashes don't match, you've detected tampering and are free to zero out that entitlement or privileged data.




[topic_controls]
[/topic_controls]