Reverse Engineering

Solar2D General Questions/Discussion
#1

Hi all,

I have a few security-related questions…

  • Is it possible for somebody to reverse engineer Corona apps so as to gain access to the source code / variable names etc… on iOS and Android.

  • Is it possible for somebody to access a SQLite database stored in the documents directory and gain access to any of the content?

When talking to a server-side script (via https) I want the app and the script to have a key they can use for authentication purposes but I don’t want to store the key on the device in a location anyone could gain access to it.

Thanks,

Ian

#2

I myself am curious to all these security questions as well

#3

2nd question is a Yes. As for the first question I don’t know if access to source, variables etc is possible but I do believe at least on Android the assets such as image & sound files can be accessed.

See forum and code exchange for some discussion and code samples on these topics. 

Hope this helps.

#4

Thanks ksan. I’ve searched the forums and the web generally for a large part of today but I can’t find a definitive answer. It’s quite possible I’m having a lame search day though.

In general, from a security point of view…

This was helpful… http://forums.coronalabs.com/topic/37302-security-on-device/

This was an interesting tutorial… http://coronalabs.com/blog/2013/06/11/tutorial-using-the-openssl-plugin/

And this thread was useful too… http://forums.coronalabs.com/topic/34295-encrypting-andor-protecting-assets-within-your-app/

#5

Q2: yes.  Q1:  I can confirm “possible” on Android, so I’d suspect similar on IOS.  Easy to pull .apk, unwrap .tar, extract files.  Debug symbols are stripped from luac.out for non-debug-key builds, but string values will still be visible with just a hex dump (including table keys, remembering that table.field is just sugar for table[“field”]).  A bit more work to extract resource.car, strip headers on .lu, run luac -l -p.  Lua decompilers aren’t robust, and likely to fail, but VM code is readable (to someone interested enough) to discover most logic.

Keep in mind, “grandma” won’t be doing this, but a determined hacker could, so you’ll have to decide what lengths to go to.  (and unlikely you’ll find ANY approach that can defeat EVERYONE)  As a start, I wouldn’t store anything critical as unencrypted strings, anywhere, not even in source code.

#6

I myself am curious to all these security questions as well

#7

2nd question is a Yes. As for the first question I don’t know if access to source, variables etc is possible but I do believe at least on Android the assets such as image & sound files can be accessed.

See forum and code exchange for some discussion and code samples on these topics. 

Hope this helps.

#8

Thanks ksan. I’ve searched the forums and the web generally for a large part of today but I can’t find a definitive answer. It’s quite possible I’m having a lame search day though.

In general, from a security point of view…

This was helpful… http://forums.coronalabs.com/topic/37302-security-on-device/

This was an interesting tutorial… http://coronalabs.com/blog/2013/06/11/tutorial-using-the-openssl-plugin/

And this thread was useful too… http://forums.coronalabs.com/topic/34295-encrypting-andor-protecting-assets-within-your-app/

#9

Q2: yes.  Q1:  I can confirm “possible” on Android, so I’d suspect similar on IOS.  Easy to pull .apk, unwrap .tar, extract files.  Debug symbols are stripped from luac.out for non-debug-key builds, but string values will still be visible with just a hex dump (including table keys, remembering that table.field is just sugar for table[“field”]).  A bit more work to extract resource.car, strip headers on .lu, run luac -l -p.  Lua decompilers aren’t robust, and likely to fail, but VM code is readable (to someone interested enough) to discover most logic.

Keep in mind, “grandma” won’t be doing this, but a determined hacker could, so you’ll have to decide what lengths to go to.  (and unlikely you’ll find ANY approach that can defeat EVERYONE)  As a start, I wouldn’t store anything critical as unencrypted strings, anywhere, not even in source code.