Loading...
Logo
Processing Forum
So for example when I make an applet. I have it on my site. But everyone (at least little skilled) can find the jar file in the source of the page, download it and then use app like Java decompiler to get to the code. With all my data and stuff.

I'm mostly worry about my loadStrings() where I'll communicate with DB ... so almost anyone can change stuff there!

Is there a way? To somehow protect the code or encode it, or somehow stop users from downloading the file? (Which has to be used as applet.)

Replies(12)

No.

That's why I advise not to use DB code (or code using developer's keys or similar) in applets...
The preferred option is to make the applet to communicate with server side scripts, so no sensible data go over the wire.

You cannot stop the users from downloading the file: the browser has to have it on the client side to run the Java code!
You might encrypt the strings, then decode them on the fly, but if the code can be decompiled, it can be used to decode the strings... There are obfuscators, but all they do is to make harder to read the decompiled code. It can be still reused/understood, with patience.
Self-made security measures are prone to be easily defeated... Some people might be more motivated by the challenge than by the goal (to access your data and play with it). Although beyond the usual play (like changing the content of a Web site, just for fun), we see more and more criminal usage of stolen data (credit card data, or even just reselling lists of e-mails).
It's and online game so there's no way I can use it without communicating with external DB. I'm using php files on the server to do the work with MySQL (so no one can get to my pass and stuff), but they can still use the Strings inside the LoadStrings to change the data in DB throught that php files. I was wondering about the way to let the php script know that it's used properly... In the moment I have a password on every script... so sth like

Copy code
  1. LoadStrings("http://www.mysite.com/myfile.php?pass="+mypass+"&data="+data);

so that if someone figure out how to download the file, renames it to zip, opens it and read id they just come across this

Copy code
  1. http://www.mysite.com/myfile.php?pass= .... & data = .....

But then I find out about Java Decompiler. So its just about finding the pass in the code.
Next things I wanna try is creating the jar file on the fly by php code (zipping it and renaming) so there is no real jar file on the site, but I still have to point the object parameter at it somehow...
As phi.lho said, you have to put your sensitive parts into the PHP code which is executed server side, i.e. the 

myfile.php?pass="+mypass+"&data="+data

part must go into the PHP file itself (at least the pass=mypass query part).


This would not work... I'm using the pass parameter just to ensure that no one can use the file without it... it's not the pass to the DB or account, so my php file starts with big IF

Copy code
  1. if ($pass == "mypass"){
  2. ... whole code ...
  3. }
And I need to be able to send my data through the loadStrings method. (for exp. position of the player on the field)
It is hard to make such application 100% secure, I fear...
Don't take my remarks as real security advices, as I don't have knowledge/experience in the field, it might be better to find advices from people having really implemented something for real games...

But well, thinking out loudly, I think the server should generate an id for the player. It passes the id to the applet, that provides it back on each request, which is checked on the server. Thus, you eliminate at least the simplest tinkering, as one has to identify itself on the server to make updates like changing the high score of this user. Now, one can sniff the id and use it. It can be encrypted in some way, but again, the decrypting part can be decompiled and analyzed. Perhaps using SSL can help in the secure part, I don't know. But this is becoming quite complex...
It can be interesting to see who OAuth (used by Twitter) works, too.
Thank you, the ID idea is good I'll try it out.
I see. Then your pass parameter makes no sense at all. Just remove it, it won't help.

Some security can be gained by sending the applet a combined key (an auth-pass combination), which consists of a key (a random number or string) that you store with each player in the database and the id of the player. The applet may even be allowed to store this combination in a local file (similar to cookies used by Web browsers). Upon authentication, the combined key must be sent, and you match it against the database. So it is not possible that any other player can fiddle with the ID, since he has not the complete key. 

Second, if you would like to avoid men-in-the-middle-attacks, you need to encrypt traffic with SSL. 
The pass in url had sense until I found out that you can decompile the whole code...

But I dont understand what are you saying about the key and the id... I still have to somehow pass that key from DB to applet... and then from applet to the php file, so that it can be compared against the key/id in the DB.

I don't know much about SSL, or TLS ... but I'm worried it would slow down the communication between the applet and the php file.
Just set up your web server to support HTTPS. I wouldn't worry about slowdown, given that you just transfer a few bytes of data.

And given than some softwares like VNC transfers whole screenshots over SSL (taking control of a remote computer).
but 50 times in a second ;)
Except you use noLoop() ...