[Resolved] Please someone explain the build process and security

Getting Started Newbie Questions
#1

Hopefully I can get some details here as it was hard finding information on the site.

Can i please have a basic rundown on what happens? Is the entirety of our source-code and assets uploaded and compiled back down to us? Or is the remote build server just there to initiate the build?

I ask because I have a client interested in me doing a job in Corona but due to contractual agreements around security they have to know exactly what is happening with the source code.

Thanks in advance,

Craig. [import]uid: 40116 topic_id: 25595 reply_id: 325595[/import]

#2

Hey Craig,

“Only tokenized project file data is sent to the Ansca servers during builds. Your source code and assets are not sent to the servers.” - http://developer.anscamobile.com/reference/troubleshooting

I hope this helps :slight_smile:

Peach [import]uid: 52491 topic_id: 25595 reply_id: 103486[/import]

#3

Thanks peach yes it does. Quite cool because now I get to make an app that communicates with some military laser ‘tag’ hardware on vehicles etc. [import]uid: 40116 topic_id: 25595 reply_id: 103537[/import]

#4

Haha that sounds awesome; I hope to hear more about this in the future.

Marking as resolved :slight_smile: [import]uid: 52491 topic_id: 25595 reply_id: 103673[/import]

#5

It is probably important that somewhere you guys document publicly on your site or in the SDK documentation the specifics on what “tokenized project data” means and exactly what is sent. Lots of clients put lengthy boilerplate IP nondisclosure stuff in their work contracts, even for small, low-budget jobs, and it could be a problem if this isn’t explicitly defined anywhere since all Corona SDK developers agree to this in the Corona license:

B. Information Submitted to ANSCA Not Deemed Confidential. ANSCA works with many application and software developers and some of their products may be similar to or compete with Your Applications. ANSCA may also be developing its own similar or competing applications and products or may decide to do so in the future. To avoid potential misunderstandings, ANSCA cannot agree, and expressly disclaims, any confidentiality obligations or use restrictions, express or implied, with respect to any information that You may provide in connection with this Agreement or the Program, including information about Your Application, Licensed Application Information and metadata (such disclosures will be referred to as “Licensee Disclosures”). You agree that any such Licensee Disclosures will be non-confidential. ANSCA will be free to use and disclose any Licensee Disclosures on an unrestricted basis without notifying or compensating You. You release ANSCA from all liability and obligations that may arise from the receipt, review, use, or disclosure of any portion of any Licensee Disclosures. Any physical materials You submit to ANSCA will become ANSCA property and ANSCA will have no obligation to return those materials to You or to certify their destruction.  [import]uid: 146683 topic_id: 25595 reply_id: 104548[/import]

#6

OK, for anyone who cares - it’s not that hard to figure out after some digging (I’m lazy…)

So when you build, your Lua scripts are compiled into Lua bytecode files and added to input.zip. If it’s an Android build, it also has a build.properties file in it. That’s what goes to Ansca’s server.

What comes back is “output.zip” which has a built APK and probably some other stuff (I didn’t capture it and wasn’t quick enough to move it at the right time, but it would be trivial to find out specifically what’s in there if you really wanted to). Then, on your machine all your assets etc. are added to the APK, it gets signed etc.

So really any confidentiality/privacy concern would be around those Lua bytecode files. They can be decompiled back into source files, but you lose things like local variable names and it would take some work to get usable source code back out of them. Any sensitive string literals in the actual code files could be an issue I guess, depending on how paranoid you are, but if you’re super paranoid you shouldn’t be putting anything like that in an android app in the first place…

So technically they are right to say they’re not sending the original source files, although strictly speaking, it’s not nothing. I’d be OK with it, but I’d probably want to make sure any clients I was making an app for (and their legal dept. if they have one) wouldn’t freak out over it.

[import]uid: 146683 topic_id: 25595 reply_id: 104567[/import]

#7

Oh, I should add, in case the bit about decompiling freaks anyone out - this isn’t any different from what you could do with a Flash SWF on any public website or in an AIR application. As for the assets, they’re all in the APK if anyone wanted to steal them anyway, just like any other Android app. I just feel like it’s good for people to understand how their tools work. [import]uid: 146683 topic_id: 25595 reply_id: 104570[/import]

#8

Pnicolai, you are correct about Lua bytecode sent to the Ansca server. The build process converts the Lua source code into Lua bytecode and sends that to the server for integration with the “template” that converts the Lua code into calls to the Corona SDK.

In the Lua bytecode, comments are stripped and variable names are mangled during the conversion process. The file sent back from the server is then locally packaged with the program’s asset files (images, sound, etc.) and signed. (The program asset files are not sent to the server.)

The Lua bytecode file sent to the Ansca server is only used to create the output file and is not saved/archived on the server. It is a temporary file. [import]uid: 7559 topic_id: 25595 reply_id: 104709[/import]