Encrypting and/or protecting assets within your app

Solar2D General Questions/Discussion
#1

Code’n’Web came out with a recent update for TexturePacker (not affiliated with software or developer) which allows Cocos2D developers the ability to encrypt their app’s assets, since it’s fairly simple for an average user to take the IPA file from the App Store, rename it to a ZIP, then unzip the contents for their own illegitimate use.

See here for more information: http://www.codeandweb.com/texturepacker/contentprotection

I was wondering if Corona SDK could also implement a form of global encryption of all internal assets during the binary building process, perhaps a key value to put in the build.settings file so it would automatically encrypt everything against that key, to which it would decrypt all files on the fly during program execution on the device.

Similarly, I am hoping for some global method of encryption for files created in System.DocumentsDirectory so that flags and variables for in-app purchases and player stats are protected against hacking and manipulation by an ambitious end-user.  As you are all aware now, any files you save using the standard load/save JSON table code are subject to easy manipulation by anyone who can access the files in iTunes or iPhone Explorer/PhoneView, unless some additional checks and balances are manually put in place.

#2

+100

Have you put it up on the Corona Feedback system?

#3

Just did.  Please vote here:

http://feedback.coronalabs.com/forums/188732-corona-sdk-feature-requests-feedback/suggestions/3899237-encrypt-binary-builds-and-files-in-system-document

#4

+100

Have you put it up on the Corona Feedback system?

#5

Just did.  Please vote here:

http://feedback.coronalabs.com/forums/188732-corona-sdk-feature-requests-feedback/suggestions/3899237-encrypt-binary-builds-and-files-in-system-document

#6

Huge thing for me! Added my votes!

#7

Voted

#8

Hi all,

Thanks for putting in your feedback. On this note, however, I believe there are some 3rd-party iOS tools that make it easy to access an app’s files, exposing all of the extracted files, thus defeating the purpose of encrypting them in the first place. Android doesn’t have this issue unless it’s rooted. Because of this, it might not be worth encrypting your assets.

When it comes to issues like this, I tend to think “where there’s a will, there’s a way”. If somebody wants your app assets badly enough, they’ll probably find a way to get them.

Best regards,

Brent

#9

Yes, if there’s a will there’s a way. But protecting against casual “hackers” is a different scenario than people that figure out new jailbreak methods.

I was thinking you could just encrypt the images, as those are really the visual “style” of your game. Sure, people could do lots of screenshots - but again, we’re about protecting against casual hackers, not dedicated people.

Thy

#10

I’m still also concerned about the save files we create. If someone looks at a save file (which is usually a JSON table totally editable in TextEdit or Notepad) and can tell which variables or valuse gets changed when an in-App Purchase takes place, we’d be seriously losing that revenue, or worse, end up eating a big loss when we are expected to fund the costly services of Corona Cloud or PubNub with those customer purchases.

Having it scrambled and checksum’ed will ensure the integrity of the save game data.

#11

For save files, you have some options:

  1. Use SQLite for your data. Little harder to get to because its in a binary blob that you need an interpreter for.

  2. Encrypt the string before you place it into the JSON. Then, it’s encrypted in the text file.

  3. Encrypt the string, and then save the JSON to SQLite. :slight_smile:

I just use #1 right now, as its difficult to tell that its a sql database if you name the database file something innocent.

Thy

#12

Some global method of encryption should be relativly easy to add to Corona and that would really help as many developers don’t want they game assets spread all around. Android is no safer than IOS. Count on rooted phones.

Would be really helpfull and usefull if this was provided by the SDK.

#13

Huge thing for me! Added my votes!

#14

Voted

#15

Hi all,

Thanks for putting in your feedback. On this note, however, I believe there are some 3rd-party iOS tools that make it easy to access an app’s files, exposing all of the extracted files, thus defeating the purpose of encrypting them in the first place. Android doesn’t have this issue unless it’s rooted. Because of this, it might not be worth encrypting your assets.

When it comes to issues like this, I tend to think “where there’s a will, there’s a way”. If somebody wants your app assets badly enough, they’ll probably find a way to get them.

Best regards,

Brent

#16

Yes, if there’s a will there’s a way. But protecting against casual “hackers” is a different scenario than people that figure out new jailbreak methods.

I was thinking you could just encrypt the images, as those are really the visual “style” of your game. Sure, people could do lots of screenshots - but again, we’re about protecting against casual hackers, not dedicated people.

Thy

#17

I’m still also concerned about the save files we create. If someone looks at a save file (which is usually a JSON table totally editable in TextEdit or Notepad) and can tell which variables or valuse gets changed when an in-App Purchase takes place, we’d be seriously losing that revenue, or worse, end up eating a big loss when we are expected to fund the costly services of Corona Cloud or PubNub with those customer purchases.

Having it scrambled and checksum’ed will ensure the integrity of the save game data.

#18

For save files, you have some options:

  1. Use SQLite for your data. Little harder to get to because its in a binary blob that you need an interpreter for.

  2. Encrypt the string before you place it into the JSON. Then, it’s encrypted in the text file.

  3. Encrypt the string, and then save the JSON to SQLite. :slight_smile:

I just use #1 right now, as its difficult to tell that its a sql database if you name the database file something innocent.

Thy

#19

Some global method of encryption should be relativly easy to add to Corona and that would really help as many developers don’t want they game assets spread all around. Android is no safer than IOS. Count on rooted phones.

Would be really helpfull and usefull if this was provided by the SDK.

#20

You can check out the AESlua which is quite fast with the new bitOp pluging:

http://forums.coronalabs.com/topic/28934-corona-resource-centre-tutorials-templates-and-more/?view=getnewpost

AES is probably the most secure encryption for lua at the moment.