Secret data in the LUA code

Hi all,

today I write to ask to more experts developers a simple question.

How safe is it writing in the LUA code some secret data, such as password or any kind of sensitive data? 

Is it possible for someone decompile the App and read the source code? Could someone decompile the app and see maybe a very smart algorithm thanks to which the App can makes some brilliant action?

The last question is: is it safer store important data on the device or in a remote server?What features should have a remote server to be considered safe?

How safe? It is not safe if you store them as plaintext. 

You can verify this for yourself. Build a sample Corona app for iOS and, from the command line, cd into the .app directory. Run strings on the resource.car file. I did this on Corona’s “fishies” app and found, in part, this:

bubble\_strong\_wav.wav viewableContentWidth viewableContentHeight container newRect reflectX newImage aquariumbackgroundIPhone.jpg aquariumbackgroundIPhoneLandscape.jpg

That’s for data in string format. Now the lua bytecode is going to be pretty painful to parse by hand, though I wouldn’t be surprised if someone had written a script to reverse it.

So if you want to hide secret values, then you should obfuscate. This is a technique that goes back at least to the 1980s, copy protection, 5.25" floppies, extra tracks, etc. Barring a TPM (which we’re not talking about here), obfuscation is doomed against a sufficiently determined attacker, so you need to hope that your attacker is insufficiently determined.

Others may have poked around inside the innards of Corona-built apps more than I have and I’d be interested to hear details if anyone has them.

The question about remote server safety and security is rather open-ended and too broad in scope for me to answer.

though I wouldn’t be surprised if someone had written a script to reverse it.

And, yep, someone has (http://luadec.luaforge.net/):

"LuaDec is a decompiler for the Lua language. It takes compiled Lua bytecodes and attempts to produce equivalent Lua source code on standard output. It targets Lua 5.0.2. "

While Apple and Google make a good attempt to secure the phones so that people cannot peek into your application’s resource area.  The reality is it too easy to jailbreak/root your devices.  At that point people can peer into your app’s information and any clear text sensitive data is there for the taking.  This isn’t a Corona issue, its a application issue on every platform.

Lua byte code, while it can be declared shouldn’t return variable names like password.  So something like:

local password = “xyzzy” 

might turn into

local a15 = “xyzzy”

since the text is clear text, it might be obvious to figure out that a15 is the password.  You can attempt to obscure the text (tons of way to do it, base64 encoding, but if the villian runs across:

local a15 = “a7b4d8d8b4”

and go hmmm?  base 64 encoded, lets decode it.  Ah xyzzy looks like a password.   There are various ways to encrypt data and plenty of ways to make it very hard.  It’s all a matter of how much effort you want to put into it.

Rob

How safe? It is not safe if you store them as plaintext. 

You can verify this for yourself. Build a sample Corona app for iOS and, from the command line, cd into the .app directory. Run strings on the resource.car file. I did this on Corona’s “fishies” app and found, in part, this:

bubble\_strong\_wav.wav viewableContentWidth viewableContentHeight container newRect reflectX newImage aquariumbackgroundIPhone.jpg aquariumbackgroundIPhoneLandscape.jpg

That’s for data in string format. Now the lua bytecode is going to be pretty painful to parse by hand, though I wouldn’t be surprised if someone had written a script to reverse it.

So if you want to hide secret values, then you should obfuscate. This is a technique that goes back at least to the 1980s, copy protection, 5.25" floppies, extra tracks, etc. Barring a TPM (which we’re not talking about here), obfuscation is doomed against a sufficiently determined attacker, so you need to hope that your attacker is insufficiently determined.

Others may have poked around inside the innards of Corona-built apps more than I have and I’d be interested to hear details if anyone has them.

The question about remote server safety and security is rather open-ended and too broad in scope for me to answer.

though I wouldn’t be surprised if someone had written a script to reverse it.

And, yep, someone has (http://luadec.luaforge.net/):

"LuaDec is a decompiler for the Lua language. It takes compiled Lua bytecodes and attempts to produce equivalent Lua source code on standard output. It targets Lua 5.0.2. "

While Apple and Google make a good attempt to secure the phones so that people cannot peek into your application’s resource area.  The reality is it too easy to jailbreak/root your devices.  At that point people can peer into your app’s information and any clear text sensitive data is there for the taking.  This isn’t a Corona issue, its a application issue on every platform.

Lua byte code, while it can be declared shouldn’t return variable names like password.  So something like:

local password = “xyzzy” 

might turn into

local a15 = “xyzzy”

since the text is clear text, it might be obvious to figure out that a15 is the password.  You can attempt to obscure the text (tons of way to do it, base64 encoding, but if the villian runs across:

local a15 = “a7b4d8d8b4”

and go hmmm?  base 64 encoded, lets decode it.  Ah xyzzy looks like a password.   There are various ways to encrypt data and plenty of ways to make it very hard.  It’s all a matter of how much effort you want to put into it.

Rob