Piracy of Gideros apps?

Magnusviri · February 2012

I just exported a project and built the iOS project in Xcode and it appears that all of my unique code is put in the assets folder and that there is nothing stopping someone from taking those assets and make their own app with them. I'm not sure how Android builds it's apps but I'm guessing that it uses the same assets and that someone could take Gideros and build an empty project and replace its assets with my assets and then they could actually put my app on the Android Store.

I'm trying to think if it's possible to download then re-upload someone else's app to the App Store, and I'm not actually sure. So this might not really be an issue that is unique to Gideros. But I think it might be a problem with Android. I'm not sure.

I guess I'm just worried about this because my iPhone apps are already being pirated by jailbreakers and the thought of people being able to take my work and then put it on the Android store and actually sell my apps makes me slightly uncomfortable.

Is this a real issue or am I just over thinking things?

Caroline · February 2012

When an app is distributed from the app store, it's a .ipa file. This is just a .zip file, and, yes, all assets can be extracted from the app.

The lua code is encrypted though.

If someone else were to use your assets on the Apple app store, then you can complain to Apple, and they will take down the other app. I don't know how Android does it.

Magnusviri · February 2012

Yeah, I guess Android is my worry because I have no plans to submit my apps to Android and I certainly don't want to try to police that ecosystem. Maybe the iOS and Android lua project files could be encrypted differently.

Caroline · February 2012

Even if the lua assets are encrypted, they can be lifted in their entirety and placed into a different Gideros generated Xcode project.
So yes, it would be good if the Android project files were built differently - is a .jet file (created by the Gideros exporter) just a .lua file renamed?

Magnusviri · February 2012

Yes, I checked them and they are the same.

I don't know enough about how Apple signs their projects to know if it is possible to rip off someone else's project by just dropping it into another Xcode project and signing it.

Caroline · February 2012

I don't know how rife piracy is in stealing a game and not changing it at all and submitting to a store - I would think people are more likely to steal the art rather than the whole game. And that has always been easy, even outside of Gideros.

I exported two projects, changed over the assets including the lua code, and built one project using the others assets. It appeared to work fine, so I'm pretty sure all I have to do now is build for the app store with my developer key.

However, it would be a carbon copy of the original.

You can define variables that come out in plain text in the lua-encrypted file, so you can have a variable with license information that does nothing.

Magnusviri · February 2012

When there is money to be made all kinds of cheaters show up. The App Store is gamed like crazy and Apple sends out warnings to developers periodically and is constantly trying to stop the way many developers are able to get their apps in the top listings by manipulating how Apple generates the lists. Apple will pull the plug on complete or even near copies. But I don't believe Google monitors its store much, so I don't want my stuff available there unless I purposely put it there.

Magnusviri · February 2012

Oh, and if plain text appears in the Lua files then I'm thinking they aren't encrypted but just compiled into Lua byte code. An encrypted file won't have anything readable in it.

Caroline · February 2012

You're right - I was using the word encrypted incorrectly.

OZApps · February 2012

Piracy is a very wide definition that you can apply.
An .ipa or a .apk file or for that matter even an Exe or a .app has the resources that can be extracted without breaking a sweat. If these were not available then the app could not work or use them.
The concern should be the lua code, as that is the real IP, unless you have an app like strip poker where the assets are of more importance than the code.

Luac compiles the text into bytecode, and for those that know what they are doing, that should not be very difficult to decompile. The compiler has documentation of how to convert the text into bytecode, so run it the other way... (not as easy as it sounds)

The issue that I see with luac is that it has these multiple files, that is a giveaway on the structure of the code, etc which can help in reconstruction (backwards engineering). So if there was a way to combine these compiled files as one lua code chunk, that would be a way forward to make decompiling harder.

Lastly, the point is what are you trying to protect, your assets in the app or the app from illegal distribution? There are several services that provide you a certificate based on your UDID that will crack and resign your app to install on a non jailbroken device.

If you have a jailbroken device, then the Apple DRM is not applicable or helpful at all in saving your app from illegal distribution.

AS to your question on can you just drop a project into xcode and sign it, you can resign it, not sure about the recompiling a compiled binary.

gorkem · February 2012

We are thinking of a method to encrypt the compiled Lua files. This is something to be tested thoroughly in fact, as it requires decryption on the fly, which affects the performance of the application. It's a tough process really, and needs some time before realization.

Magnusviri · February 2012

I guess the reason why I brought this up is because I was concerned about how easy it is. I know it's impossible to prevent for anything (the movie industry is trying and failing), right?). But I guess I just want a padlock that stops casual abuse. I don't think it is worth the effort to attempt more.

When I saw that my iOS apps were being pirated (hosted on MegaUpload or one of the other "filesharing" sites) it was an awful feeling, but I decided that Apple has made it difficult enough to pirate that I don't need to write my own piracy prevention code. I'm just worried about how easy it is to take the Lua resources and drop them into another Gideros app.

Maybe Gideros Studio can put a public key in the complied Lua files (I'm not worried about the images and sound resources) and a private key in the exported Android/Xcode projects and the keys must match to run and the keys are regenerated every time the project is built. That way the exported Android/Xcode projects and the Lua files must be built at the same time. If the Lua code is built on another machine, then its key won't match and the Android/Xcode key and the app won't run.

The key to this working is that the private key in the Xcode/Android project be as difficult to extract as possible (which seems impossible considering almost all exported Gideros Xcode/Android projects are going to be the same so it would be easy to find the binary location of the key), and I know there is no way to stop a determined cracker (and I don't think anything can), but I think this would stop a lazy/uninformed/casual one.

And now that I think about it, I've got the Xcode project and I can add something to it to make it different, so maybe it is up to me if I want more protection.

Either way, I think I've talked myself out of asking for this feature. I'll do what I say the filmmakers should do, and that's to make a product that is so awesome that honest people are happy to pay for it and the piracy will come naturally but I won't care because I've still got good honest customers.

gorkem · February 2012

(Apart from the fact that we'll have a look at this issue in the near future) ;

I've seen my books being pirated. I've seen my Linux distro being pirated. :ar! I felt like "Wow, I really produced high-quality products so others copy it. I think I made it." *-:) instead of feeling frustrated. Think of it like that. Be the best on what you do so others point at you. Rest is trivial.

mykyl66 · February 2012

Pretty much my thoughts. If it can be pinched it will be. No point in overly worrying about it.
Of course that's not to say that its not worth looking into. Anything that makes their job of getting at the code is a bonus.

Mike

MikeHart · February 2012

Piracy can't be stopped. It is better to get used to live with it.

moopf · February 2012

If you worry about piracy, you may as well stop and not bother producing anything. I've been developing for 20+ years and selling my own creations for over 15 years and it just comes with the territory - it can be disheartening at first but once you realise that there's little you can do about to stop it, you're left with a stark choice between giving up or carrying on regardless.

Introducing elaborate DRM, or protection methods, is often worse for you in the long run as you will inevitably create hoops through which your legitimate customers have to travel in order to use whatever it is you're producing. And that is self defeating, as you'll put potential customers off. Just take a look at the mess some of the big game developers/publishers have created with their "clever" DRM methods. It just frustrates the users.

Cyberience · May 2013

How did you manage to do this if what you say: "The lua code is encrypted though."?

Regards

I don't know how rife piracy is in stealing a game and not changing it at all and submitting to a store - I would think people are more likely to steal the art rather than the whole game. And that has always been easy, even outside of Gideros.

I exported two projects, changed over the assets including the lua code, and built one project using the others assets. It appeared to work fine, so I'm pretty sure all I have to do now is build for the app store with my developer key.

However, it would be a carbon copy of the original.

You can define variables that come out in plain text in the lua-encrypted file, so you can have a variable with license information that does nothing.

Cyberience · May 2013

This thread got me interested so I dug deeper, I had a look at an app in the app store, downloaded to me MAC, extracted the LUA files, and when I have a look, they have a * nv?8c at the beginning of very File, and when I run the luadec on it, states unrecognized symbol *. so it appears there is an effective encode happening already, though I have no idea how it was done, I would like to do the same to mine.
maybe there is a flag in the compile or something.

moopf · May 2013

This thread is old. Gideros (at least the paid version, I think) now includes encryption of the Lua files.

hgvyas123 · May 2013

This thread is old. Gideros (at least the paid version, I think) now includes encryption of the Lua files.

only on paid version

fxone · May 2013

@Cyberience there is an answer from @Atilim:
http://www.giderosmobile.com/forum/discussion/2804/gideros-lua-encryption-could-this-create-problems-with-export-compliance#Item_9

Cyberience · May 2013

yep saw that, I would have thought that every release is in the paid version, I haven't seen any Gideros Release games using the Gideros splash screen yet.

fxone · May 2013

@Cyberience this is the proof, that you've never seen my games

OZApps · May 2013

@Cyberience, that is the trick used to make a normal text file look like a UTF-8 file by altering the first few characters, that way the system will get confused with the file. If you want, you can also alter and then un-alter the lua bytecode to save it, or use the encryption technique that is available to paid subscribers only. I have not seen how it looks, so cannot comment. Other popular framework makes a single file that contains all of the Lua bytecode, more like a zip package or the resource files (windows executables). This deters the ones that do not know what to look for.

Howdy, Stranger!

Categories

In this Discussion

Top Posters

Piracy of Gideros apps?

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

Top Posters

Piracy of Gideros apps?

Comments