Does Json protect files effectively

Games
#1

If I use Json, to save and retrieve game state and setup data, will the file be encrypted well enough to protect it from the average hacker? I doubt it would survive a serious hacker, but will it at least do okay against the ‘part-time’ hacker?

Is there a better method to use that would be ‘reasonably’ secure, or even more secure? No one want;s users to be able to access vital state flags and such that might allow them to by-pass locked features etc…

I have read Rob Miracle’s article on Json files with Corona.(Very good… thanks Rob), but I did not notice any mention of how secure the file would be.

Does anyone recommend using Json, and maybe encrypting with some other tool. Any suggestions are appreciated.
Thanks [import]uid: 148857 topic_id: 30493 reply_id: 330493[/import]

#2

Hi,

JSON provides no encryption or security whatsoever. It’s simply a method of serialising a table so that you can easily write it to and read it back from storage.

It’s really the equivalent of writing a text file with your content in it.

Unfortunately I can’t help with any better solutions, but hopefully someone else will chime in with some ideas.

Ali [import]uid: 10499 topic_id: 30493 reply_id: 122179[/import]

#3

You could encrypt the data that gets entered into the file using the Crypto API?

Let me know if you want an example on how to do this.

[import]uid: 62706 topic_id: 30493 reply_id: 122184[/import]

#4

Hi CraftyDeano,

I’d quite like to see an example of how to do this.

Can you please share an example?

Thanks,

Ali [import]uid: 10499 topic_id: 30493 reply_id: 122186[/import]

#5

@ali @craftyDeano thanks for your input.

@craftyDeano I second Ali on this, it would be great to see example!!!
Can anyone input on what they used … or how they protect their ‘files’ or data from users ‘easily’ hacking and overriding a locked feature or level???

Thanks [import]uid: 148857 topic_id: 30493 reply_id: 122193[/import]

#6

Damn, seemed I was a little confused, we can only do one way encryption in Corona, the below would encrypt it, but decrypting can’t be done.

It may be useful for booleans or simple

[lua]require “CiderDebugger”;

local crypto = require(“crypto”)
display.setStatusBar(display.HiddenStatusBar)
_W = display.contentWidth / 2
_H = display.contentHeight / 2

myGameSettings = {}
myGameSettings.highScore = 1000
myGameSettings.soundOn = true
myGameSettings.musicOff = true
myGameSettings.playerName = “Barney Rubble”

deviceName = ( system.getInfo( “name” ) ) – “CraftyDeanos iPhone”
masterKey = “RandomStuff” – Random key
uniqueKey = crypto.hmac( crypto.md5, deviceName, masterKey) – encrypts phone name against masterKey
function encryptTableData()

myGameSettings.highScore = crypto.hmac( crypto.md5, myGameSettings.highScore, uniqueKey)
myGameSettings.soundOn = crypto.hmac( crypto.md5, tostring(myGameSettings.soundOn), uniqueKey)
myGameSettings.musicOff = crypto.hmac( crypto.md5, tostring(myGameSettings.musicOff), uniqueKey)
myGameSettings.playerName = crypto.hmac( crypto.md5, myGameSettings.playerName, uniqueKey)

text = display.newText(myGameSettings.highScore, 0, 0, native.systemFont, 10)
text = display.newText(myGameSettings.soundOn, 0, 20, native.systemFont, 10)
text = display.newText(myGameSettings.musicOff, 0, 40, native.systemFont, 10)
text = display.newText(myGameSettings.playerName, 0, 60, native.systemFont, 10)

end

encryptTableData()[/lua]

You say about users being able to amend fields to access content, do you have IAP’s with the JSON file showing the boolean true/false?

If so I use the following to check if the IAP’s have been purchased which creates a random file name when IAP is purchased and on boot it checks if this file is present and sets a boolean to true/false depending on the outcome.

[lua]isPro = false – if true then adverts disabled

– call this function when purchase is made
function writeproFileAds()
local deviceName = ( system.getInfo( “name” ) ) – phones name eg ‘deans iphone’
local cryptoKey = “SuperRandomHashKey” – key to hash against
local fileName = crypto.hmac( crypto.md5, deviceName, cryptoKey)
local path = system.pathForFile( fileName, system.DocumentsDirectory )
file = io.open( path, “w” ) – creates a file with the hash as its title
file:write( “Hey, I just bought you, and this is crazy, Heres my credit card number, Charge me maybe?” )
io.close( file )
isPro = true – changes isPro value to true
banner:release() – remove adverts
end

– call this function on application boot
function checkPro()
local deviceName = ( system.getInfo( “name” ) ) – phones name eg ‘deans iphone’
local cryptoKey = “SuperRandomHashKey”
local fileName = crypto.hmac( crypto.md5, deviceName, cryptoKey)
local path = system.pathForFile( fileName, system.DocumentsDirectory )
local file = io.open( path, “r” ) – checks if it can read the file
if file then --sets isPro to true if the file is readable.
isPro = true
io.close( file )
end
end[/lua] [import]uid: 62706 topic_id: 30493 reply_id: 122195[/import]

#7

Keep in mind that if you encrypt the data, you have to go through the regulatory filing process with the governments of the stores you want to sell your app in.
[import]uid: 19626 topic_id: 30493 reply_id: 122200[/import]

#8

@rob miracle

Thanks Rob. How do you go about protecting the json files you create/use in your apps? What is the standard practice most developers use to store/save the game states? I assume create a small json file and ‘hope’ the user does not try to alter it. I would goes the average user would not bother.
Is there some other trick developers are using to protect the game state data?

@crafty

Thanks crafty. My user will be acquiring some special points, that would unlock another level or something like that when certain amounts of points are accumulated (not necessarily an IAP … but could be) … anyway, I am just wanting to avoid situation where the user could get into the game state file where I would have saved their progress(i.e… points earned) and alter that.

I am going to avoid encrypting… looks like alot of downside. I do like the code you show, setting a random file name, when user does in IAP. I think that will be very helpful.

Thanks
[import]uid: 148857 topic_id: 30493 reply_id: 122228[/import]

#9

No problems.

Forgot to mention that if any encryption is used it needs a bit of paperwork behind it before you can submit it.

If you did want to use encryption, this blog describes the process quite well (AFAIK, Apple only require the US governments’ approval?)

http://blog.theanimail.com/iphone-encryption-export-compliance-for-apps [import]uid: 62706 topic_id: 30493 reply_id: 122229[/import]

#10

No problems.

Forgot to mention that if any encryption is used it needs a bit of paperwork behind it before you can submit it.

If you did want to use encryption, this blog describes the process quite well (AFAIK, Apple only require the US governments’ approval?)

http://blog.theanimail.com/iphone-encryption-export-compliance-for-apps [import]uid: 62706 topic_id: 30493 reply_id: 122230[/import]

#11

I don’t bother. Apple does a pretty good job of making your data not accessible from other apps. Most people shouldn’t be able to get to it.

A hacker will likely be using a jailbroken phone and even with a 2 way encryption, if they want in, they will get in.

None of my games have data that one would want to hack other than unlocking all levels and if so, it’s not a big deal.

[import]uid: 19626 topic_id: 30493 reply_id: 122233[/import]

#12

Thanks to both of you. Good to know. [import]uid: 148857 topic_id: 30493 reply_id: 122237[/import]

#13

It might be worth looking into using a database to store your values.

It’s obviously not an alternative to encryption, but it’s definitely better than a plain text file.

In order to modify your values the user would have to know that it was an SQLite DB, mount the SQLite db (using some kind of SQLite client/manager) and then edit the fields in the tables. Otherwise, the file just looks like a large binary file.

Ali [import]uid: 10499 topic_id: 30493 reply_id: 122266[/import]

#14

Database is a great idea, I really need to brush up on SQL.

You could always obfuscate the data before writing it to a table too. [import]uid: 62706 topic_id: 30493 reply_id: 122277[/import]

#15

Hi,

JSON provides no encryption or security whatsoever. It’s simply a method of serialising a table so that you can easily write it to and read it back from storage.

It’s really the equivalent of writing a text file with your content in it.

Unfortunately I can’t help with any better solutions, but hopefully someone else will chime in with some ideas.

Ali [import]uid: 10499 topic_id: 30493 reply_id: 122179[/import]

#16

You could encrypt the data that gets entered into the file using the Crypto API?

Let me know if you want an example on how to do this.

[import]uid: 62706 topic_id: 30493 reply_id: 122184[/import]

#17

Hi CraftyDeano,

I’d quite like to see an example of how to do this.

Can you please share an example?

Thanks,

Ali [import]uid: 10499 topic_id: 30493 reply_id: 122186[/import]

#18

@ali @craftyDeano thanks for your input.

@craftyDeano I second Ali on this, it would be great to see example!!!
Can anyone input on what they used … or how they protect their ‘files’ or data from users ‘easily’ hacking and overriding a locked feature or level???

Thanks [import]uid: 148857 topic_id: 30493 reply_id: 122193[/import]

#19

Damn, seemed I was a little confused, we can only do one way encryption in Corona, the below would encrypt it, but decrypting can’t be done.

It may be useful for booleans or simple

[lua]require “CiderDebugger”;

local crypto = require(“crypto”)
display.setStatusBar(display.HiddenStatusBar)
_W = display.contentWidth / 2
_H = display.contentHeight / 2

myGameSettings = {}
myGameSettings.highScore = 1000
myGameSettings.soundOn = true
myGameSettings.musicOff = true
myGameSettings.playerName = “Barney Rubble”

deviceName = ( system.getInfo( “name” ) ) – “CraftyDeanos iPhone”
masterKey = “RandomStuff” – Random key
uniqueKey = crypto.hmac( crypto.md5, deviceName, masterKey) – encrypts phone name against masterKey
function encryptTableData()

myGameSettings.highScore = crypto.hmac( crypto.md5, myGameSettings.highScore, uniqueKey)
myGameSettings.soundOn = crypto.hmac( crypto.md5, tostring(myGameSettings.soundOn), uniqueKey)
myGameSettings.musicOff = crypto.hmac( crypto.md5, tostring(myGameSettings.musicOff), uniqueKey)
myGameSettings.playerName = crypto.hmac( crypto.md5, myGameSettings.playerName, uniqueKey)

text = display.newText(myGameSettings.highScore, 0, 0, native.systemFont, 10)
text = display.newText(myGameSettings.soundOn, 0, 20, native.systemFont, 10)
text = display.newText(myGameSettings.musicOff, 0, 40, native.systemFont, 10)
text = display.newText(myGameSettings.playerName, 0, 60, native.systemFont, 10)

end

encryptTableData()[/lua]

You say about users being able to amend fields to access content, do you have IAP’s with the JSON file showing the boolean true/false?

If so I use the following to check if the IAP’s have been purchased which creates a random file name when IAP is purchased and on boot it checks if this file is present and sets a boolean to true/false depending on the outcome.

[lua]isPro = false – if true then adverts disabled

– call this function when purchase is made
function writeproFileAds()
local deviceName = ( system.getInfo( “name” ) ) – phones name eg ‘deans iphone’
local cryptoKey = “SuperRandomHashKey” – key to hash against
local fileName = crypto.hmac( crypto.md5, deviceName, cryptoKey)
local path = system.pathForFile( fileName, system.DocumentsDirectory )
file = io.open( path, “w” ) – creates a file with the hash as its title
file:write( “Hey, I just bought you, and this is crazy, Heres my credit card number, Charge me maybe?” )
io.close( file )
isPro = true – changes isPro value to true
banner:release() – remove adverts
end

– call this function on application boot
function checkPro()
local deviceName = ( system.getInfo( “name” ) ) – phones name eg ‘deans iphone’
local cryptoKey = “SuperRandomHashKey”
local fileName = crypto.hmac( crypto.md5, deviceName, cryptoKey)
local path = system.pathForFile( fileName, system.DocumentsDirectory )
local file = io.open( path, “r” ) – checks if it can read the file
if file then --sets isPro to true if the file is readable.
isPro = true
io.close( file )
end
end[/lua] [import]uid: 62706 topic_id: 30493 reply_id: 122195[/import]

#20

Keep in mind that if you encrypt the data, you have to go through the regulatory filing process with the governments of the stores you want to sell your app in.
[import]uid: 19626 topic_id: 30493 reply_id: 122200[/import]