Security on device

MatthewCharlesHarrop · July 17, 2013, 10:56am

Hi All,

I have a question regarding security on the device (Android and iOS)

Currently, within the project i am working on, we have the device connect to an FTP site to upload and download files and forms.

To keep costs down (Because we’re offering this service for free) there is 1 username and password for each group that signs up. This allows them access to their particular folder within the FTP where they can find all of their stuff relating to their group.

Currently the Username and Password is either hard coded into the synchronization file or contained within the settings file in the DocumentsDirectory. Therefore it would be quite simple for somebody with malicious intent to acquire the username and password and bombard the FTP with rubbish, thus destroying what we’ve worked on.

What I need to know is whether I can encrypt the Username and Password in the file and how to decrypt the information for sending to the FTP.

I am aware of the crypto. library, however It only allows encryption, so how would I go about decrypting a Username and Password so it can be sent and authorized by the FTP? Also if i encrypt the Username today, will the decryption still read the same tomorrow?

rxmarccall · July 17, 2013, 8:38pm

Sorry don’t have an answer to this, but am interested in the topic. Unfortunately from what I’ve seen so far, Corona lacks some really important security features.

For example they released a Zip plugin which is awesome, but it does not support password protection… after spending literally over a year on my current app, I am sad that I cannot protect my assets that need to be downloaded.

jonjonsson · July 17, 2013, 10:52pm

We desperately need some security, even just basic encrypt decrypt.

Please vote: http://feedback.coronalabs.com/forums/188732-corona-sdk-feature-requests-feedback/suggestions/3899237-encrypt-binary-builds-and-files-in-system-document

rxmarccall · July 17, 2013, 10:56pm

Done and done. After reading that voting post I just realized how scary it really is that we have no encryption. I use the ICE library to save and load values in my app. I use this to save whether or not a user has purchased certain pieces of in app content.

A user could just open their file explorer and edit the saved ICE data to unlock content couldn’t they?!

rob · July 17, 2013, 11:25pm

Cant you use the OpenSSL plugin for this?

rxmarccall · July 17, 2013, 11:50pm

@Rob, I’m not sure I understand well enough what OpenSSl does. I was just reading the documentation, sounds like it wraps an unsecure connection and encrypts it?

I’m not sure that this would be helpful in protecting our app assets seeing as we are talking about after the app or content has been downloaded, a user could then access it on device and manipulate it?

rob · July 18, 2013, 3:33am

See: http://www.coronalabs.com/blog/2013/06/11/tutorial-using-the-openssl-plugin/

jonjonsson · July 18, 2013, 3:43am

Wow that is fantastic. How did I miss that.

jstrahan · July 18, 2013, 5:06am

nice

if im reading right it encrypts text

so if i want to encrypt a json file i would need to combine it all into one string or will it encrypt json?

jonjonsson · July 18, 2013, 5:09am

I’m implementing now. It can not encrypt a table (I think that is what you mean), you need to convert to json string first.

rxmarccall · July 18, 2013, 5:12am

Can one of you guys explain in words for a 5 year old what OpenSSL allows us to do? Will it actually encrypt files on a device? or is it just as it streams across the internet?

jstrahan · July 18, 2013, 5:13am

no my file is a json file

so im guessing id have to convert from json to a string the from string to json

jstrahan · July 18, 2013, 5:14am

your 5 years old and coding WOW

LOL

jstrahan · July 18, 2013, 5:15am

the way im reading it it can do both but this is the first i looked at it so i may be wrong

jonjonsson · July 18, 2013, 5:25am

rxmarccall: What kind of assets are you trying to protect?

rxmarccall · July 18, 2013, 5:27am

Sorry I’m just a noob compared to some of you guys so lots of the time I feel very out of the loop.

I am just trying to understand what benefits Open SSL allows for?

I would like to protect my app assets such as images, but also my app downloads new content via HTTP, which is very unsecure, would this help me in protecting my content in any way?

thanks

jstrahan · July 18, 2013, 5:30am

you can use HTTPS in corona for more secure connection

rxmarccall · July 18, 2013, 5:34am

I think my biggest concern is the fact that anyone could hit the URL that I use to host my content and download the zip file with the content.

I wanted to use FTP for this reason, but with FTP corona doesn’t allow for a download progress event, so I switched back to HTTP. Would OpenSSL let me use HTTP but keep random people from being able to download my zip file?

jonjonsson · July 18, 2013, 5:35am

For me I have a multiplayer game where I keep sensitive information in SQLite (Ice in your case). Before adding that information I encrypt it with

[lua]

encryptDataBeforeAddingToDB = mime.b64(cipher:encrypt(myData, mySecretKey))

[/lua]

If a user has jailbroken his device and opens the database to try to cheat he will just see gibberish.

When I need to use the information in the game, I fetch it from database and do:

[lua]

deCryptedinformationFromDB = cipher:decrypt(mime.unb64(encryptedDataFromDb), mySecretKey)

[/lua]

jstrahan · July 18, 2013, 5:38am

found error on plug in page. the descriptions are reversed