We are considering APK security.
There are 2 kinds of source code in our application:
C# code
Java plug-in
For C# code
We found all C# code was built into Assembly-CSharp.dll, and it seems the .DLL can be reflactored by .Net Reflector, which means the code is not secure.
We didn’t find any entries to use Proguard onto C# code in the Unity and Mono Developer.
For Java plug-in
We found .Jar was built as resources into “assets\bin\Data”, but we are not sure it’s secure.
Also, there were some posts said Proguard to Jar caused unreasonable results, so we hesitated to use Proguard onto .Jar.
lol .jar is openable by winrar isnt it? .. i really wouldnt know so much about these things, cause i think security is a dumb thing to be concerned about… just me?..
What is the reason for your security concerns? Obviously storing credit card details is a bigger deal then protecting high scores. Context may help people provide solutions.
I’ve done this thing in past; not in Unity but in other engines/frameworks and my personal opinion is that “code security” (as in obfuscate/encrypt dlls and jars) is a huge waste of time and nightmare to maintain and support. If you have a team of developers to work and support then yes go for it.
Frankly it’s question about effort needed and the returns. If it’s a out-of-this-world algorithm you want to protect then get a patent for it (and sue everyone if you like ;)). If it’s just your character controller code or scoring system code then millions are doing same things already (and in better ways, or at least better than me :)) .
For your assets(models/art/textures) there is always copyright protection and you can easily handle those violations through proper channels. Most app stores and sites will take action on such violations pretty fast.
For code; I wouldn’t spend time on the “security of the code”. Java and C# both are compiled to IL/byte code to be interpreted at runtime and no matter what you do to it can be reversed and frankly it’s waste of time.
If you are storing any sensitive information on user’s device then each country has privacy guidelines issued by governments (and +EU if user is in Europe) to protect them which MUST be followed. So you can refer those guidelines for securing the data. (On a side note never ever collect/transmit any user identifiable information without having a privacy policy and EULA created per country/region by a lawyer)
If you are worried about players cheating on scores and IAP then there are totally different ways to handle those (app design guidelines/remote validations/off-line timers etc.) and you can find some good assets on asset store which do just that.
Nah, me too. You do what you can from time to time, but ultimately people can decompile things, competent coders won’t be stopped by obfuscation (find & replace all, anyone?), people can attack php sessions, people can modify client side scripting and do whatever they want, etc.
I’d rather be focused on fun instead of making sure my user has an unpleasant experience with DRM system(s) monitoring their system & software at all times I’d rather give 80% of my legitimate users a great experience instead of making them feel like they’re renting my software because of the 20% who would rather not pay.
This reminds me of a site my last company put together to answer questions about Internet security. istheinternetsecure.com answers the question as to whether the Internet is currently free of security holes. (Hint: It’s a static site)
If people want to get in there and mess with things, they’re probably going to find a way. You can do your best to hide certain things behind authorization gates on web services, but if there’s a way to game it, people will find a way.
The way I look at it, though, if you’re being hacked and cracked, it means you’re popular enough for people to care! So, yay!
I don’t know if it’s just me but it seems like this form is full of incompetent programmers.
Code obfuscation is vital to many projects, otherwise you’re going to have a 100 clones on the market within days of a successful project.
Personally it’s easy to setup. Just make sure to mark certain packages and classes as not to be obfuscated. Such as classes that interface JSON though model abstraction, etc.
Yes you might think it’s easy to reverse compile an app but using something like ProGuard I can tell you right now; it’s not. This makes it harder to reverse compile then just to make the app from scratch.
Anyhow, if anyone knows of any good code obfucscators for Unity, please comment.
code that is obfuscated can not be reflected and decompiled to its normal structure, hence why obfuscation is great to “confuse” the hacker and increase the security of your code by a huge amount. It doesn’t protect memory hacking.
Depends who are you trying to protect against. Most of the app hijackers/cloners do not really care about full decompile or full understanding of the project and they mostly just inject their IAP and ads to existing projects and maybe switch some graphics or string literals. Same thing for cheaters, they only care for small bits and parts and not full project.
Currently there is no protection unless you build your project with IL2CPP. Without it your game will include .NET dlls with all the script code and obfuscation does not really matter since talented people can refactor the code pretty easily for the parts they need.
Obfuscation is just obfuscation, it only slows down the process but does not make anything bulletproof as the CIL code will still have to go to some runtime. Visual studio handles mangled code refactoring pretty well and people after code can write their own tools anyways. These tools mainly only block certain group of people.
Obfuscation is not just obfuscation. The word Obfuscation means confusing the communication, making it unreadable. The techniques to achieve this is not one simple thing. Obfuscation is not one thing, it includes many aspects, also cryptology.
Ironic considering you bumped a year old thread. I doubt any code here is worthy of the time taken to maintain obfuscation. Not sure why anything thinks their generic code is worth protecting… oh because a clone will appear in a week… what a load of s***.
Beginner programmers occasionally think this way. “My code must be special therefore everyone will try to steal it”.I think we’ve discussed that in some license-related thread.
Sure, but nor does anything. Unless the data is destroyed there’s always some way to retrieve it. All that security does is make that more difficult and/or take longer. The idea isn’t to make it impossible, it’s to make it expensive enough that it’s not worth the effort.
With games, once the concept is out it won’t likely take someone more than a few days to build a new knock-off. There’s a huge difference between a concept and the implementation of that concept, and obfuscation only protects the latter.
Someone ripping off your game idea probably doesn’t want to use your implementation*, so protecting that might not be the best thing to put effort into. Consider how long it’s going to take you to protect stuff (bot initial and ongoing effort), vs. how long it’ll take for an expert team to just write their own version (remember, they don’t have to do all the research you did).
That’s not to say that obfuscation is useless. I just doubt that it’s offering any real protection for most games, where we end up showing off the thing that we’re protecting anyway giving more than enough information to recreate it. If we have proprietary secrets or newly researched algorithms or other as-yet-unknown-to-the-world stuff under the hood then that’s where it might come in handy.
Piracy / rebadging stolen apps is a different matter, though I’m not sure how much obfuscation would help with those either.
I been reading allot of random threads on this forum, i don’t always answer or feel like answering. But most people on this forum have a very long way to go. It includes performance, architecture design, and security. Also the quality and logic behind the response is not of the best either. Maybe your code is not something to protect, that does´t mean other developers shouldn’t protect there codes…