Protect my apk file better

Solar2D General Questions/Discussion
#21

Hi, use spritesheets and code your program to crash or warn user if files are tampered with deleted. If a user does that, my policy is refuse app to start.

Data security, databases, levels, configs etc are best protected using an external server maybe not what you wanna hear but thats how it is.

Apk can be reversed and as long as some find it joyful to hack leaderboards, game mechanics and such, its just how it is these days.

The level if security neccessary is something that must be evaluated on a per app basis.

#22

Thank you @anaqim

  1. How can I check if the user tampered or deleted the files?

2.I’ve done research I’ve seen that sql can also get json-coded strings.

   I also saw that I can encrypt json strings. Can this be an idea?

   The “openssl” (used to encrypt json) plugin is or it has an impact on performance?

#23

Morning,

  1. thats something you need to figure out, like detecting if file exist before opening it, like loading graphics and checking in code if image dimensions are correct or have been altered, etc etc. You could for example include vital files in a zipped file which you check and unpack at runtime, You ould md5 hash content and validate it that way. I dont know of any “simple” solution for this.

  2. absolutely, json can be stored in sql tables (mysql, mssql) as well as nosql objects (mongo db), or just as json files on your server. it all depends on your specific needs. storing on and retrieving data from a server is a lot of security in itself and if you register your server with ssl that makes it all the better.

personally i am using coronium core by develephant which allows me to code serverside in lua, giving me alot of freedom and possiblities as a developer, at a small cost. its a solution I am very happy with and which I warmly recommend.

if you prefer free solutons, you can always grab any of the free backend services available like app42, gamespark and playfab (in order of preference) but for these the cost is slightly less freedom in what you can do plus a bit more coding to get things done. also, at some point they all will start to cost money, but hopefully you’ll be making some by then as well).

happy coding!  :stuck_out_tongue:

#24

Hi!  :slight_smile:

1. I do some tests and let you know, I’ve never tried to use zip in the game files.

2. Core coronium is a good idea and probably I’ll use it in the future but now I need some local solution, just for this reason I set it aside.

Can you tell me something about openssl?

It is used for json encrypt I would like to know if it is fast or affects performance

#25

Hi again.

Dont know much about opessl since i use a server with ssl but i doubt it has any impact on performance. Loading and saving files usually are not time critical events

#26

Thanks for your quick response!

I guess then I will use openssl and I will perform performance tests

I’m doing tests for the first point but it looks complicated … is not there a way to take my own images folder and transform it into a string? I think this will solve everything

#27

So there is no way to control the folder directly?

I’m two days banging my head :wacko:

#28

nothing is unhackable but there are ways to make it harder

android doesnt even have a folder as such but here is a random thought…

you could zip your files, then when app starts, decompress them to the temp folder and give them random names (that make no sense to the eye) that you generate in code, store in variables and use during that single session. you could clean out temp folder each app start to prevent it getting too big. change for random folder or folder structure every ession.

you could probably hash the images and use these in code to control they have not been tampered with, and or check image size when loading. you could save all images upsidedown and in could turn them before using them.

you could hash encrypt json files and verify on load to check they have not been tampered with.

there are many ways and methods to make both your life as well as the potential hackers life more difficult, just gotta come up with a formula for it that only you and your app can handle.

your app can probably still be hacked when running, but again, you could implement image preloading so that once the app is started and the images appear in the folder, they have already been loaded so changing them after app start wont do anything. next session = new images/files and names etc etc  :wink:

#29

you could even store all images in code in base64 strings  :rolleyes:

#30

IMHO it is a waste of time trying to copy-protect apps.

You’ll end up spending a lot of time and/or money and still failing.

#31

Thank you both!

@anaqim I appreciate the lines are interesting but a bit complex for a game. And I fear it would take a long time

@roaminggamer I know that there is always someone who knows how to break better than someone builds. As I said I do not want to waste much time. 

However, a friend has been able to change images with a simple rootless app, and this has had consequences in the game.

I would like a simple control that at least prevent this.

I do not want an armored app, but no one can simply change it. This I think would also diminish the interest of those who would play without cheating

#32

I will bring this up with our engineers.  I don’t know how much work it would be to pack the assets into a resource file.  Almost every API that accesses an image or audio track will likely need some beefy recoding, but it doesn’t hurt to ask.  The worst thing is an answer of “No”.

It won’t happen anytime soon regardless.

Rob

#33

I appreciate it very much!

Thank you @Rob Miracle

#34

Personally I have some insight into this… my assets appeared in a competitors game (via a user uploading mechanism).

A simple “cease and desist” email stomped that out real fast.

#35

Finding a really safe method takes too long.

I will leave…

I just ask one last thing if it is possible. In my game for safe use** Runtime:hideErrorAlerts(). **

There are no bug but something can always run away.

With this code if the user deletes an image from the obstacle folder the game continues to run but the obstacle will not bother him.

Is there a way to block apps only if the file is not found?

of course I can do a check before creating image something like:

local path = system.pathForFile( "myImage.png", system.ResourceDirectory ) if(path)then --create image else --block app end

 but so should I modify all my code, is there a faster way to do this?

#36

If content is deleted then show a placeholder graphic instead and alert the user accordingly.

Instead of modifying all your code simply have a function that you call to “load an asset”.  This function can then have the code to handle “asset not found”

#37

I should, however, check each point where I create an image. …

Otherwise I think I did not understand

#38

@maximo,

That code won’t work the way you want it to.  It will create paths fine, for non-existent images.  It does’n’t check if the file exists, it blindly makes the requested path.

I’d wrap my image creation in a pcall() instead, then if the pcall fails, use SGS’s fallback of a default image.

local status, img = pcall( display.newImageRect, path, width, height )
#39

I’ve been doing tests like this:

local status, img = pcall( display.newImageRect, "img.png", 200, 200 ) print(status) --true local status, img = pcall( display.newImageRect, "notExistingImg.png", 200, 200 ) print(status) --true

Whether there is the image or not there is the image, status return true

1 Like