So : what files can be read by tech savvy users in my .ipa?

Mells

Hi,

I understand that lua files are encrypted when exported (indie/pro license).
What are the files that a user could eventually access to, and read?

1. Should I assume that a user could eventually access to .txt, .json files?
2. If a user can access a json file, I assume that he can even replace it and totally modify the game settings... right?

OZApps

@Mells,
The user (a savvy one) can easily read most of the stuff (except the encrypted Lua sources) the graphics could be altered (I recollect in the days of the Floppy Disks (the 5 1/2" ones) the filenames would be altered so instead of SAM00001.pcx to SAM00005.pcx they would be numbered the other way round (Hint enough for what that would have done)

All files that are not compiled and changed in some form are all readable or accessible to the user that delves into the .ipa or .app

Even the data that you write into the directories are readable and can be altered I had an article on that here http://howto.oz-apps.com/2013/10/peek-poke-to-get-unlimited-stuff.html

If you are using JSON to serialize your data, then try to use a binary format instead and if you are using JSON to get your data from a website, then place this json on the website so it cannot be altered by anyone and is retrieved from the website (that way you can quickly make alterations to the app as you want and Apple would not have an issue to this)

Lastly, if you want to use encryption to save all this data, Apple asks you if you ar using encryption in your app, that will severely limit your app's reach.

Mells

@OZApps thank you.

If you are using JSON to serialize your data, then try to use a binary format instead

I believe the problem has been solved ten times by people way smarter than me, would you give me a few recommendations or directions on that?

Lastly, if you want to use encryption to save all this data,

I'm only using the encryption feature available in Gideros.
Would my app fall under what you describe (Apple asking about encryption in app)?
If yes, that would mean that all apps made with Gideros (Indie/Pro license) have their app's reach limited?

ar2rsawseen

@Mells as stated here by @atilim:
http://www.giderosmobile.com/forum/discussion/comment/21449#Comment_21449

If it is used to encrypt intellectual property which the code and assets are, then it is an exception and does not fall in the category of encryption in Apple review.

But if you start encrypting the saved data, the purpose then is to hide information, and then you would need to report encryption to Apple.

But if you still want to encrypt that information, you can do that by different provided libs, like:
http://www.giderosmobile.com/forum/discussion/1227/md5-using-gideros-bitop-plugin#Item_1
http://mkottman.github.io/luacrypto/manual.html#reference

Mells

@ar2rsawseen
More specifically I use json files to set the main parameters for the game. Those are not saved datas.
If possible, I would like to find a way to make those files a bit harder to be read (maybe use binary format as @OZApps suggested, but I don't know really what it is and it makes for a too broad search on google).

If that make the whole process :
- too cumbersome for me
- gives me some issues with Apple
I won't bother with it. Now what I need is to publish and go for the way most people handle that situation.

OZApps

@Mells, you need to make a decision and weigh the options as to where to draw the line, do you want to make it not easy to read and alter the data or do you want to have less hassle on you. In the article I referred above, the developers have used a binary format and even the numbers are in long format (like one would have done in C) it makes it that much more easy for those that are used to those structures and formats.

As for your other question, how to save data in binary format, you will have to use the read ("*n") type commands instead to read the file rather than expecting it in binary format. There is another trick where the file is changed to seem like a binary file or encrypted file while it remains in plain text, so to read it, you have to read it by using the low level commands, text editors will not read it. Depends on your requirement on what and how far do you need to go.

One thing for sure, if someone is determined to crack something, they will... so it is the majority that you need to cater for, can they even list out the files in an .ipa? (I used to think that was difficult, till I saw that on windows the .app file is a simple directory and it can be simply read like any other directory. Then how easy is it to read the lua files, well look into the assets folder... (with C*SDK, it is a RIFF format where like a zip file the files are located with data containing information to the start of the file and length of the file. I have written a simple lua script that can strip the .car file into the corresponding .lua bytecode files)

Mells

@OZApps very interesting.
However "making a decision and weigh the options" would mean I have enough experience to take decisions. I'm not able to take decisions on things that I don't know about

That's why I would prefer to go for the collective (vs individual) decision : what do people do in most cases?
I don't really want to go far, I'm just trying to know what "most people" do.
I don't think people really care about the name of my variables and those who go so far as to modify and upload new variables, then it's ok. If they can enjoy a $2 game for free (after having spent x or xx minutes to do it) it's fine. They don't value their time as much as I do with mine.

@ar2rsawseen, @OZApps, @phongtt do you use json files "as is"? Do you bother with making them unreadable at all?

phongtt

As far as I remember, our games' saved data (aka recordstore) don't use json or plain text, instead we use binary and also protect the data from being copied to another device.

Btw, I found this: http://stackoverflow.com/questions/2135081/does-my-application-contain-encryption

Examples of items that are excluded from Category 5, Part 2 by Note 4 include, but are not limited to, the following:   Consumer applications. Some examples:   piracy and theft prevention for software or music; music, movies, tunes/music, digital photos – players, recorders and organizers games/gaming – devices, runtime software, HDMI and other component interfaces, development tools LCD TV, Blu-ray / DVD, video on demand (VoD), cinema, digital video recorders (DVRs) / personal video recorders (PVRs) – devices, on-line media guides, commercial content integrity and protection, HDMI and other component interfaces (not videoconferencing); printers, copiers, scanners, digital cameras, Internet cameras – including parts and sub-assemblies household utilities and appliances

Anyone can confirm this information?

OZApps

@ar2rsawseen, @OZApps, @phongtt do you use json files "as is"? Do you bother with making them unreadable at all?

Not really, unless it held some information that would be critical, like in-app purchase related stuff (I am not a fan of peddling in-app purchases as yet, might do some day)

As for encryption or obfuscating stuff, I would do it more to retain the element of surprise in the game than anything else. So one way that was used in the past was simple xor encoding which simply changed the string or bytes with a fixed value being xor'ed, later it was used with a string to increase the complexity or ease of decrypting the data.

I'd be more interested in obfuscating so that strings and variables are not easily readable with hex editors. There are several ways to do that, it all depends on what you are trying to do, what are you trying to protect, the code, the data , the settings, etc. Each would have a different method to use without getting into the trap of encryption, etc.

Mells

@phongtt, @OZApps thanks.

Well, I use json files to setup a lot of things in the game and was thinking about having a parameter to allow the user to access the IAP.
Lite version in json file "IAP_access":false If IAP purchase -> "IAP_access":true
Premium version in json file "IAP_access":true

All those informations have been very helpful but, because I have no idea what we are talking about, I still don't know where to get started.

What is a binary file? The search is really broad in the search engines.
Is that a format that is totally different from json (which means I have to rewrite many parts of my app)?
Is that a format that I convert my json files to?
Or is that something totally different?

I have found this : Binary Files and well it did not help.
I don't want to ask too much on the forum, but a few links about where to get started (practical, specific advices, not theory) would be great.

I think there is a start of an answer here

you will have to use the read ("*n") type commands instead to read the file rather than expecting it in binary format.

But I have really no idea what it's related to.

*Feeling lost*

OZApps

@Mells,

if let's say there is a file called test and you opened it in a text editor,you could read it said "test" minus the double quotes, it is called a text file as the contents are text.

Now formats like the PNG, JPG, etc are structures of a fixed type, these may contain portions of numeric, textual, etc data that are not readable unless you know how to decode them, that is what is called a binary format.

Another major difference between a text and binary is that text files have lines separated by linefeeds, where as binary does not (though it could if you specifically added them)

So in your specific case, if you save a block of data that was contained in a structure as a structure than as strings, you would want to save it as binary so that the system does not add any line feeds or other data and disrupt/corrupt the file data.

With Lua, since there are limited options of serialization as there exist with C or C++, the easiest way to save a table is to convert it into a JSON string and write tit to a file (text format).

With other languages like Python, I think it is called Pickling.

A suggestion about your jSON, the problem with using JSON is that it is too verbose, as it stores the name of the key value pairs. Alternatively you can have your own text format that specifies for example that line1 is the version, line2 is the InApp purchase to remove ads made or not, and so on

VERSION 1.1
1
Mells
10500
51
CHKSUM

Now when you read this back line-by-line, you know in your app that line 1 is version, line2 is the flag that is 1 for true and 0 for false or you can set your own, line 3 is the player that made the highscore, Line4 is the highscore, line5 could be an obfuscated data value and line6 could be a checksum based on lines1-5, when you read the file, you generate the checksum and if the checksum is not the same as line6 then the file has been altered, you can overlay it with defaults or ignore those values. As I said, there are many ways of managing this, depends on what you really want.

ar2rsawseen

@Mells I was also bothered with it at first, but the I checked the most popular games of that time, Cover Orange, Angry Birds, Cut the rope and none of them does the data encryption and usually stores simple json or xml, so I also don't obfuscate anything

Superappman

Lastly, if you want to use encryption to save all this data, Apple asks you if you ar using encryption in your app, that will severely limit your app's reach.

@OZApps why would answering yes to Apple's question about using encryption limit an apps reach?

OZApps

@superappman, if your app uses encryption, it could be restricted from being approved for sales in certain countries. It all depends on your target market.

Superappman

Thanks @OZApps

Does anyone have experience with submitting a Gideros app that was exported with Lua encryption only? Did you check "no" to Apple's encryption question and was it rejected/approved?

ar2rsawseen

@Superappman you should check that yes it is encrypted, but only to protect your IP
and I think you'll be good to go

Superappman

Ok, thanks @ar2rsawseen!