This post is intended to learn security measures to be taken in cocos2d-x app (android preferably).
Here are few questions that are on top of my mind:
Suppose my app in installed on android phone then I can use an app to convert that installed app into .apk file. Now, I can extract all the files inside .apk files like resources and other files by changing the extension of .apk to .zip
So, how to avoid this. I want to learn even if someone managed to extract my app into .zip then how to avoid him take my resources. May be some kind of cryptography or something you could tell.
What are best practices?
Prevent modification of any kind of data on the fly(avoid tampering of game values/variables), I mean when the android app is running or not running.
You may add additional security measures if you know. I guess, it is important for knowing the extent to which we can secure our cocos2d-x applications from hackers.
EDIT( edit done after my next post):
Also I would like to know the following. I was googling and found that there exists tools that can modify the game data/values like score-money-etc. when game is running. I also read that if the app stops on detecting memory changing app then this memory changing app(hacker tools or data tampering tools) won’t be able to modify or crack the app while running, and thus making it difficult to hack.
But how to detect whether such apps is ‘running and attacking on the game better to say attacking memory and not game’ or ‘running simultaneously as the game is running’.
Anyone knows how to prevent it. I feel crypto will also not help this. Also @almax27 what you think does crypto laws apply here also
Another potential method could be to stream any assets you want to avoid ever being saved on the device from a server (they only ever exist in RAM). However this will have to be done every time the user runs the app and would incur significant server overhead depending on the number of regular users.
Or you could look into encrypting key files (images, xmls etc) using 3rd party tools, but this will probably require you load your assets manually rather than through the cocos2d-x framework.
For app data simple encryption should be sufficient when reading/writing to file. I don’t believe runtime data tampering is as much an issue for mobile devices as it can be for desktop. However if you do wish to obfuscate this I’d recommend researching personal data protection methods as these can be applied in a same way.
Thanks a lot for sharing crypto laws. I didn’t know that thing
With different cryto. laws for dfferent countries I would need to make separate apks for them!!! Wouldn’t it be difficult!!!
I searched google too before googling but wanted some advice for cocos2d-x developers.
Anyways, here is what I found ‘Botan is a crypto library for C++’.
Also I would like to know the following. I was googling and found that there exists tools that can modify the game data/values like score-money-etc. when game is running. I also read that if the app stops on detecting memory changing app then this memory changing app(hacker tools or data tampering tools) won’t be able to modify or crack the app while running, and thus making it difficult to hack.
But how to detect whether such apps is ‘running and attacking on the game better to say attacking memory and not game’ or ‘running simultaneously as the game is running’.
Anyone knows how to prevent it. I feel crypto will also not help this. Also @almax27 what you think does crypto laws apply here also
Look at the countries you want to distribute in and pick the highest encryption allowed in all of them. Unless security is a massive issue, the maintenance of multiple apks is unlikely to be cost effective.
As for memory hacks you have to ask a few fundamental questions:
How many people in your user base will care about modifying these stats?
Is your app likely to be popular enough to warrant someone actually taking the time to create a memory hack tool for your app?
Will you loose revenue if they do? (are they linked to IAPs)
What is the development cost compared to the potential revenue lost to implement and maintain these security measures?
Encrypting data in RAM will help as the values of the data will be obfuscated and a tool would have to know the key to insert sensical values.
One approach that jumps to mind though to avoid a memory hack is to have core state data periodically reseated. I.e. all access through a service (no reference) which copies the data to new a new memory address at random intervals.
I don’t have any experience using Botan I’m afraid but from what I can see it’s just a utility library of cryptography algorithms. The reseating idea I mentioned was off the top of my head, I have no reference for it’s implementation. I imagined it as a class that just creates a new data instance periodically, nothing to do with cryptography. Access to that data should be strictly copy constructed, and destructed in calling scope, which will incur overhead relative to the data and it’s use.
First however, I’d suggest finding examples of these memory hacking tools to determine common approaches, and even try writing one yourself. Without a good understanding of how people are likely to hack your application you stand no chance of preventing them.
MY THOUGHTS :
From what i have experienced in this digital age… anything can be cracked…
Be it Cocos2d-x Game or a Game like FIFA backed by a big,a very big company…
Or an entire OS like Windows or Mac…
You should more be focusing on your game content rather than thinking how to make an uncrackable game…
Some concern is good like encrypting and all…but too much attention is bad…
And let me tell you people who crack software watch the ‘top 100’ or ‘top 10’ apps of a particular store(PlayStore/AppStore/Amazon) and then begin cracking those apps…
They dont randomly pick an app << This is a very imp point (i had done some) …
Even games like Angry Birds have been cracked what else to talk about…
