Jump to content

[TOPIC: topicViewTemplate]
[GLOBAL: userSmallPhoto]
Photo

Security on device
Started by MatthewCharlesHarrop Jul 17 2013 02:56 AM

- - - - -
34 replies to this topic

[TOPIC CONTROLS]
Page 1 of 2 1 2
This topic has been archived. This means that you cannot reply to this topic.
[/TOPIC CONTROLS]
[modOptionsDropdown]
[/modOptionsDropdown]
[reputationFilter]
[TOPIC: post.html]
#1

MatthewCharlesHarrop

[GLOBAL: userInfoPane.html]
MatthewCharlesHarrop
  • Contributor

  • 139 posts
  • Corona SDK

Hi All,

 

I have a question regarding security on the device (Android and iOS)

 

Currently, within the project i am working on, we have the device connect to an FTP site to upload and download files and forms.

 

To keep costs down (Because we're offering this service for free) there is 1 username and password for each group that signs up. This allows them access to their particular folder within the FTP where they can find all of their stuff relating to their group.

 

Currently the Username and Password is either hard coded into the synchronization file or contained within the settings file in the DocumentsDirectory. Therefore it would be quite simple for somebody with malicious intent to acquire the username and password and bombard the FTP with rubbish, thus destroying what we've worked on.

 

What I need to know is whether I can encrypt the Username and Password in the file and how to decrypt the information for sending to the FTP.

 

I am aware of the crypto. library, however It only allows encryption, so how would I go about decrypting a Username and Password so it can be sent and authorized by the FTP? Also if i encrypt the Username today, will the decryption still read the same tomorrow?



[TOPIC: post.html]
#2

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

Sorry don't have an answer to this, but am interested in the topic.  Unfortunately from what I've seen so far, Corona lacks some really important security features.

 

For example they released a Zip plugin which is awesome, but it does not support password protection.... after spending literally over a year on my current app, I am sad that I cannot protect my assets that need to be downloaded.



[TOPIC: post.html]
#3

jonjonsson

[GLOBAL: userInfoPane.html]
jonjonsson
  • Corona Geek

  • 1,051 posts
  • Corona SDK

[TOPIC: post.html]
#4

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

Done and done.  After reading that voting post I just realized how scary it really is that we have no encryption.  I use the ICE library to save and load values in my app.  I use this to save whether or not a user has purchased certain pieces of in app content.  

 

A user could just open their file explorer and edit the saved ICE data to unlock content couldn't they?!



[TOPIC: post.html]
#5

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,895 posts
  • Enterprise

Cant you use the OpenSSL plugin for this? 



[TOPIC: post.html]
#6

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

@Rob, I'm not sure I understand well enough what OpenSSl does.  I was just reading the documentation, sounds like it wraps an unsecure connection and encrypts it?

 

I'm not sure that this would be helpful in protecting our app assets seeing as we are talking about after the app or content has been downloaded, a user could then access it on device and manipulate it?



[TOPIC: post.html]
#7

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,895 posts
  • Enterprise

[TOPIC: post.html]
#8

jonjonsson

[GLOBAL: userInfoPane.html]
jonjonsson
  • Corona Geek

  • 1,051 posts
  • Corona SDK

[TOPIC: post.html]
#9

jstrahan

[GLOBAL: userInfoPane.html]
jstrahan
  • Corona Geek

  • 1,926 posts
  • Corona SDK

nice

if im reading right it encrypts text

so if i want to encrypt a json file i would need to combine it all into one string or will it encrypt json?



[TOPIC: post.html]
#10

jonjonsson

[GLOBAL: userInfoPane.html]
jonjonsson
  • Corona Geek

  • 1,051 posts
  • Corona SDK

I'm implementing now. It can not encrypt a table (I think that is what you mean), you need to convert to json string first.



[TOPIC: post.html]
#11

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

Can one of you guys explain in words for a 5 year old what OpenSSL allows us to do?  Will it actually encrypt files on a device? or is it just as it streams across the internet?



[TOPIC: post.html]
#12

jstrahan

[GLOBAL: userInfoPane.html]
jstrahan
  • Corona Geek

  • 1,926 posts
  • Corona SDK

no my file is a json file

so im guessing id have to convert from json to a string the from string to json



[TOPIC: post.html]
#13

jstrahan

[GLOBAL: userInfoPane.html]
jstrahan
  • Corona Geek

  • 1,926 posts
  • Corona SDK

your 5 years old and coding WOW

LOL



[TOPIC: post.html]
#14

jstrahan

[GLOBAL: userInfoPane.html]
jstrahan
  • Corona Geek

  • 1,926 posts
  • Corona SDK

the way im reading it it can do both but this is the first i looked at it so i may be wrong



[TOPIC: post.html]
#15

jonjonsson

[GLOBAL: userInfoPane.html]
jonjonsson
  • Corona Geek

  • 1,051 posts
  • Corona SDK

rxmarccall: What kind of assets are you trying to protect?



[TOPIC: post.html]
#16

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

Sorry I'm just a noob compared to some of you guys so lots of the time I feel very out of the loop.

 

I am just trying to understand what benefits Open SSL allows for?

 

I would like to protect my app assets such as images, but also my app downloads new content via HTTP, which is very unsecure, would this help me in protecting my content in any way?

 

thanks



[TOPIC: post.html]
#17

jstrahan

[GLOBAL: userInfoPane.html]
jstrahan
  • Corona Geek

  • 1,926 posts
  • Corona SDK

you can use HTTPS in corona for more secure connection



[TOPIC: post.html]
#18

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

I think my biggest concern is the fact that anyone could hit the URL that I use to host my content and download the zip file with the content.

 

I wanted to use FTP for this reason, but with FTP corona doesn't allow for a download progress event, so I switched back to HTTP.  Would OpenSSL let me use HTTP but keep random people from being able to download my zip file?



[TOPIC: post.html]
#19

jonjonsson

[GLOBAL: userInfoPane.html]
jonjonsson
  • Corona Geek

  • 1,051 posts
  • Corona SDK

For me I have a multiplayer game where I keep sensitive information in SQLite (Ice in your case). Before adding that information I encrypt it with

 

encryptDataBeforeAddingToDB = mime.b64(cipher:encrypt(myData, mySecretKey))

 

If a user has jailbroken his device and opens the database to try to cheat he will just see gibberish. 

 

When I need to use the information in the game, I fetch it from database and do:

 

deCryptedinformationFromDB = cipher:decrypt(mime.unb64(encryptedDataFromDb), mySecretKey)



[TOPIC: post.html]
#20

jstrahan

[GLOBAL: userInfoPane.html]
jstrahan
  • Corona Geek

  • 1,926 posts
  • Corona SDK

found error on plug in page. the descriptions are reversed

 

Attached Thumbnails

  • Screen Shot 2013-07-18 at 12.35.24 AM.png


[TOPIC: post.html]
#21

jonjonsson

[GLOBAL: userInfoPane.html]
jonjonsson
  • Corona Geek

  • 1,051 posts
  • Corona SDK

You can have user/pw authentication on your HTTP server like you have on FTP. It requires server side programming though. 



[TOPIC: post.html]
#22

Rob Miracle

[GLOBAL: userInfoPane.html]
Rob Miracle
  • Moderator

  • 25,895 posts
  • Enterprise

From my read of that block post, it will encrypt/decrypt a string.  JSON is a string.  You json.encode your table to get a string, then json.decode a JSON string to create a table. 

 

The encrypted data is binary, if you're going to transmit that via an HTTP web service, you probably should base64 encode it for safe transmission.  The blog post I believe covers it.

 

HTTPS: uses SSL to do it's encryption.  You can use https: to have your data encrypted between endpoints (your browser and server, your app and server), but HTTPS would be useless if the browser didn't decrypt it the data. 



[TOPIC: post.html]
#23

MatthewCharlesHarrop

[GLOBAL: userInfoPane.html]
MatthewCharlesHarrop
  • Contributor

  • 139 posts
  • Corona SDK

May i make a suggestion?

Would it be possible to add, to the individual pages within the API documentation, pages recommended by Corona developers? So, all the tutorials and maybe some forum topics that help outline the usage of such items (I know that if the OpenSSL tutorial page had been referenced within the crypto.* area, then I would never have raised this topic)

 

Just FYI, I too have voted for Binary protection :)



[TOPIC: post.html]
#24

A Funny Development

[GLOBAL: userInfoPane.html]
A Funny Development
  • Enthusiast

  • 61 posts
  • Corona SDK

Hi,

 

Man all the stuff that complicates an indie shop trying to develop a simple little app. I'd like to encrypt some of the game data. I was planning on using the Corona SSL lib. I will only be using it for that purpose, not making remote secure connections etc. It appears that shipping encryption libraries as part of your code base requires additional paperwork to be filed.

 

Is this true? Has anyone gone through the process? Is it worth the effort, meaning there are bigger fish to fry versus worrying about locking down your app from piracy / data manipulation etc?

 

 

Thanks.



[TOPIC: post.html]
#25

rxmarccall

[GLOBAL: userInfoPane.html]
rxmarccall
  • Contributor

  • 751 posts
  • Corona SDK

I am looking at using the "htaccess" method to password protect a directory on my web server that hosts my downloadable content.  Should Corona's network.request API be able to pass the username and password needed to access the content for download?




[topic_controls]
Page 1 of 2 1 2
 
[/topic_controls]