Jump to content

Make HTML5/JS Game safe!


copman
 Share

Recommended Posts

Its a nice write-up about a subject that is not oft discussed but it is also incredibly worrying that you seem to think that the web should be a closed shop. It is intrinsically against what the web stands for and was created for. It is also one of the nails in the flash coffin.

I'm all for security when it concerns personal data, usage of such data and the integrity of users of any application or platform, but your post doesnt touch on that, you're simply worried that your code can be read and possibly stolen. You dont (and can not) obfuscate your idea and players play your game/use your app because of your idea and how you put that on the screen, the average user doesnt care much about your code. Obfuscation will not help you if you're simply worried about me taking your code and running it on my own server, I can do that whether your code is human readable or not.

The web is an open platform, there are those who seek to destroy that state and currently it is unknown which way the web will swing. A great number of us believe that if the web becomes closed then it will die and be replaced by something else. Whether it was your intention your not, your reasons for choosing to obfuscate your code are not made due to the security of your users, merely through wishing to protect your IP (intellectual property). Code obfuscation and minification should primarily be done to reduce page weight and load times, with newer web technologies (some of which are already in use), this concern becomes moot—in the near future there will likely be no requirement to even concatenate scripts into a single (or few) bundle to reduce http overhead (the only caveat here is that gzip and other compression will often be more effective over 1 large file than, say, 10 smaller ones).

I'm really glad you're talking about this subject, and that you have thought about securing leaderboards etc etc but you are touching on far bigger issues than maybe you realise or intended to.

As web developers we should be champions of the web and I can not agree that closing the web to protect IP is a good thing for users or for developers in the long term. Smudging together IP protection and web security is also a misleading use of terms—I know you are planning to touch on web security in subsequent posts but fielding a post about obfuscation techniques as one about web security is fairly poor.

Quote

Because JavaScript is sent in clear text our intellectual property is exposed, which is…. not so good

This is the most worrying part of your entire post. The question you should ask yourself is "not so good for whom?"

Link to comment
Share on other sites

- nice statement, here my point:

1. Fine - you are concerned about personal data - but where are the boundaries? "My" code is mine, unless I want to share it. It is my personal property, therefore it could (and should) be seen as personal data!

Just because I want to share (or sell) a game on or through the internet does not mean I want to share my code!
Blizzard does "share" and sell its games but not its sources (code, art etc...)!

Quote

The web is an open platform

what should this mean? - everything that is on the internet is for free? You know the opposite is true!
Even JS-Libraries does cost money...

with "Open platform" its "open" standards are meant, not that anything is for free!
You can download thousands of images - but you can't use them because its rights are protected!

Quote

obfuscate your code are not made due to the security of your users, merely through wishing to protect your IP (intellectual property)

the methods that we want to give a try, should do both, as I wrote: no easy cheat, no easy theft!

nothing of this does "close" the web - the opposite would be the case if there would be better protection-possibilities, there would be maybe less content but of higher
quality...
Has music or any art-direction become better since the internet, since everything could be stolen more easily?
=> No, I truly think not!....

 - just my point of view - Regards, Wolfgang

Link to comment
Share on other sites

Quote

Even JS-Libraries does cost money...

In the last year alone I've overseen more than a dozen applications and sites for some of the biggest companies in the world and I have paid, to date, $0 for external code. Thats not to say we've created all the code ourselves, far from it, open source is more than capable currently. I do pay for services though, but that is totally different.

Quote

what should this mean? - everything that is on the internet is for free?

The code is in no way related to what users of applications will pay. I pay for a password manager, I dont care if that application has 10k lines of code or 100k, I pay for it because it works and I trust that the company are able to produce programs that give my passwords a good enough level of security.

I'll pay for your game because its a good game, and I'll keep coming back and keep paying because I like playing it. That is how content is protected on the web.

Quote

the methods that we want to give a try, should do both, as I wrote: no easy cheat, no easy theft!

As JS is interpreted obfuscated code is usually fairly trivial to un-obfuscate, but I can steal your obfuscated code and run it somewhere else, just the same as I could have bought your game on CD/disk and given it/copied it to all my friends. The only way to secure against that sort of thing is to ensure that your game (at least periodically) relies on a service under your control, with the emergence of the web this actually makes 'securing' your game from theft far easier (well, 'securing' the playing of your game anyway).

As for cheating, such as posting scores to a leaderboard, surely you dont think that 'hackers' look through your code to break that system?

I'll reiterate because it sounds like I'm slaughtering you, I'm glad you are writing about this subject because now we are discussing it which is a great thing to keep the web moving forwards! :)

Oh, your code is most certainly not your personal data.

Link to comment
Share on other sites

Quote

Thats not to say we've created all the code ourselves, far from it, open source is more than capable currently. I do pay for services though, but that is totally different.

No, it is not different! Good Open-Source Sources are providing you with documentation, support, bugfixing etc.. this is also service!
Therefore many OpenSource Projects are turning back into payed services after gaining enough users, how should they survive and evolve other than that?
It does not matter if you pay for code or support or docu about it, at the end!

Just take WordPress - it's free - but a million dollar business, if you want to turn it into something usefull - you have to pay!

I've a problem, if good things that help you, and give you big possibilities are all for free - are you working for free?

Quote

The code is in no way related to what users of applications will pay

You misunderstood this. It is about that the code is stolen and someone else makes money with it.
What still happens  => there are many Chinese companies that just copy things(games) over the internet, change some art(also stolen) and try to make money...

Quote

As JS is interpreted obfuscated code is usually fairly trivial to un-obfuscate

It is not only obfuscation but yes for sure, I wrote: no easy cheat, no easy theft...

Quote

I'm glad you are writing about this subject because now we are discussing it which is a great thing to keep the web moving forwards!

Yes, in that point I fully agree with you ;)

 

Regards, Wolfgang...

Link to comment
Share on other sites

Quote

You misunderstood this. It is about that the code is stolen and someone else makes money with it.

Obfuscated code does not stop this. 

Quote

It is not only obfuscation but yes for sure, I wrote: no easy cheat, no easy theft...

Obfuscated code does not stop this.

If I wanted to 'hack' your game I wouldnt be looking at your code, and neither will anyone else.

Quote

No, it is not different! Good Open-Source Sources are providing you with documentation, support, bugfixing etc.. this is also service!

I disagree. Code is code, if it is sandboxed it will work (in the same environment) as well in 10 years as it does now (ask space shuttle engineers!). Paying for code is very different than paying for a service.

As you've mentioned open source projects, when they reach a certain level, require some sort of paid income to reach the next step, to reach a step further than that they usually require no money (dont believe me? ask the node foundation). I agree with you, many successful open source projects need financial backing, most gain it through sponsorship but many create a service, use the code and bill for the service. The service and the code are not the same. Docker, as it is one popular example, the code is free, but using docker-hub or their other services is a paid service. It is very different from the documentation and issue tracking surrounding open source code.

 

Link to comment
Share on other sites

19 minutes ago, mattstyles said:

If I wanted to 'hack' your game I wouldnt be looking at your code, and neither will anyone else.

Seriously Matt! I damn well would be, if I was to hack the OP's game I think it would be among many things I would consider looking at, why on earth would I not consider looking at the source?! I think it's well established JScrambler-style tools do make reverse engineering harder even if they don't stop it, at least until attackers master the tricks and produce their own tooling to counter it.

Let's stop debating the philosophy of whether copy-protection / obfuscation are righteous tools for developers to wield and focus on whether this seems to be a good quality tutorial on a topic that many devs seemingly are interested in.

I worry this first post in the series says little more than we looked at a bunch of solutions and decided that we liked JScrambler. While making some mistakes about the protection offered which you point out but don't unravel why that suggests a more serious misunderstanding... (I hope to go into more detail on this later)

Link to comment
Share on other sites

I'd be more interested in network traffic and what is being sent than picking through the code, not that I've ever done it for this purpose. I know the OP is going on with the series regarding ssl and other stuff and that isnt the focus of this article.

I'm glad the article is there, I just dont agree that obfuscation solves the problems the author says it does, for reasons I've stated.

As an article, I think the author highlighting their work-flow and sticking some opinion behind their decisions is fantastic, as a tutorial I think its flawed and does not encourage readers to search further for information on a very complicated subject.

Link to comment
Share on other sites

43 minutes ago, mattstyles said:

I'd be more interested in network traffic and what is being sent than picking through the code

I think a would be attacker will try both but that's what I think is missing from this first post threat modelling (Computer Security courses teach to start with this)

My concern with a paint by numbers approach to security, such as how to use JScrambler without really understanding what it does and doesn't protect against is that it will give a false sense of security, though my impression was that this series would focus on JScrambler only.

Link to comment
Share on other sites

7 minutes ago, chg said:

My concern with a paint by numbers approach to security, such as how to use JScrambler without really understanding what it does and doesn't protect against is that it will give a false sense of security, though my impression was that this series would focus on JScrambler only.

Yes, I agree, that is a better way of putting it. The false sense of security aspect is what I also find concerning.

Link to comment
Share on other sites

Quote

I'm glad the article is there, I just dont agree that obfuscation solves the problems the author says it does, for reasons I've stated.

sorry but I disagree: it does, for a simple reason =>
any code, especially if it's about game-dev, could be deobfuscated, or : most things today are .NET (Unity etc...) which is again an intermediate language IL, so could
be disassembled...
but anyway it is simply a matter of effort! is it worth it, or should I move to the next thing I could steel?
the guys in the companies I've mentioned have very restricted time to do what they are told to do!

btw.: the first attempts with Jscrambler are looking very promising - and any "deobfuscator" I've tried until now - hardly fails! but as I said it is not about deobfuscation alone, i'll show
up this in the blog...
and yes I was looking for an article like that - I'm doing it on my own now - hopefully someone of you could find some useful in it - not more, not less!

Regards, W.
 

Link to comment
Share on other sites

Quote

it is also incredibly worrying that you seem to think that the web should be a closed shop

I think Copman only wants to make his product a closed shop, not the whole web.  :-)  It is a perfectly rational thing to want to protect your hard work from being stolen and exploited by others. Whether that goal is feasible or not is another matter, but it makes for an interesting discussion. If other people want to open source their hard work for the benefit of others then that is perfectly rational as well. There is no need for the web to be all one way or the other.

Quote

I'll pay for your game because its a good game, and I'll keep coming back and keep paying because I like playing it. That is how content is protected on the web.

Having paying users for your product does not protect that product from being stolen and exploited by others, in fact, it encourages it.

Quote

As JS is interpreted obfuscated code is usually fairly trivial to un-obfuscate

You can beautify minified code, but you can not restore the original identifiers after they have been munged, at least not without the corresponding source map file.

The more interesting question is whether obfuscation is worthwhile. Many programmers believe obfuscation is not worthwhile because the goal of hiding a program's implementation can not be achieved, which is true. But the goal of obfuscation is not to hide a program's implementation, but rather to ensure acquiring an understanding of the implementation is made more tedious. Munging identifiers achieves that. Someone stealing code must then recalculate whether the extra effort required to grok obfuscated code in order to make any necessary modifications is worth their while.

Of course, obfuscation has drawbacks. The more deeply the code is obfuscated, the more likely bugs will introduced in the process, especially in a dynamic language like JavaScript. You have to have a lot of faith in the obfuscation tool. Also, obfuscation makes debugging more difficult. If you receive unhandled exception reports from the field then the resulting stack traces may be unintelligible if the code has been JScrambled (unless JScrambler provides source map support).

Quote

but I can steal your obfuscated code and run it somewhere else

Whether that will work depends on the code. For example, if the code has server side logic dependencies then some effort will be required to address that, which means the code thief will have to decide whether studying the obfuscated client-side code to understand what's missing is still worthwhile.

 

Link to comment
Share on other sites

I understand copman's dilemma about wanting his code to be safe. As BobF said, obfuscation can make it harder, and that's ultimately all we can really do for client side protection. Everyone should give this topic a good read: 

https://github.com/atom/electron/issues/3041

Also, the closest I think you can get is this: https://github.com/nwjs/nw.js/wiki/Protect-JavaScript-source-code-with-v8-snapshot

V8 Snapshotting looks like it converts V8's isolate code into native code, but debugging and performance will be a pain in the ass. There is also limitations. But I think that's the closest we got.

Also, WebAssembly AFAIK is creating a plugin for electron, which will help.

 

Link to comment
Share on other sites

Quote

 For example, if the code has server side logic dependencies then some effort will be required to address that

Yep, I mentioned that, the only way you can 'secure' your application from working is for it to 'call home' to a service you control. Sure, the service/s can be mocked but it could be incredibly difficult (touching on impossible depending on the nature of the service/s).

Quote

sorry but I disagree: it does, for a simple reason

Which is? You mention just 2 points in your article: you're worried about your IP and you're worried about the integrity of your leaderboards. Your leaderboards can be hacked without any knowledge of your client code and I can steal your code obfuscated or not, unless it relies on an external service that you control then it'll work for me, so, therefore obfuscation does not solve your problem, creating a dependency on a service does.

I haven't mentioned it yet as I was trying to be polite but assuming that you are so skilled that others can not replicate your work is either arrogant or ignorant. Protecting your hard work is admirable and rational, unfortunately, you can not achieve it (not without the law changing). There are a million clones of popular titles made by companies with expensive lawyers on tick, has their IP been compromised? Would it have been done so quicker if they exposed all of their source code? Of course not, it wouldn't have made a difference.

Your article is about trying to protect your IP and your experiences with jscrambler, and to that end the article succeeds. My point is simply that it is probably worthwhile pointing out to readers that this has nothing to do with user security or protection against hackers, its just about your own pride in your code.

 

I made a deck-building game way back in the day (before the internet was a thing for most of us), so I wish you all the luck with it. Some of your artwork is incredible.

Link to comment
Share on other sites

Copman, maybe it's already been said, but I think the title and ultimate conclusion of the article are contradictory (it ends up reading more like a promotional article to me).  Anyone with lesser technical skills may interpret this incorrectly, believe that obfuscation protects their IP, and make (wrong) decisions accordingly.

Perhaps rewording the title or adding a more obvious caveat at the end is worthwhile to avoiding continued confusion on an often confused subject?

 

Link to comment
Share on other sites

Hi!

I wanted to add "Jscrambler" in brackets to the title, so that everybody knows that the examples are about this product!
Can someone tell me how to edit the title? - thanks!

Here Part2:

Experience with Jscrambler, the Protection-Options!

http://vempiregame.com/allgemein/experience-with-jscrambler-part-i/

Best Regards and all the best, Wolfgang

Link to comment
Share on other sites

  • 3 months later...

Hi.

Could you not build in a trap where, if someone goes through your code, gets the links to the images and reconstructs your game (folders and files) in order to copy it then alter it. You could use getImageData to check the pixel colour that you know will be say, the top left pixel of a certain image. Then, if someone alters that image (say, the hero), your pixel check will return the wrong colour. Only let the game run if the correct colour is picked? This would only really work with minified or obfuscated code or easily spotted. Ok, the tamperer could, if they figured out the trap, remove the getImageData trap code but you could make your trap unique with 'several' layers of pixel data colour checking or something (overlay transparent colour and check again)? If they get rid of 'all' the pixel data checks, you might use some for non trap getImageData code to make the game work and then the game will not work properly.

 

Link to comment
Share on other sites

4 hours ago, mattstyles said:

@WombatTurkey hey wombat, is there still a considerable perf hit using snapshotting? I know at one stage it was down to about 30% or so, but that was a while back, it was still useful for handling stuff that needed to be secure like hashing or salt application.

I havn't ran any benchmarks :(. It's probably the same. Hit up the NW google group forum I bet Roger Wang will respond directly. But yeah, it's probably fine for little snippets of our "special code" :D

Link to comment
Share on other sites

Topic title also misled me thinking that it is about preventing client side attempts. As stated enough times above, obfuscation may stop most but not everybody so there is no harm in doing but don't rely on much.

And client side code is indeed a serious problem, especially if you made a persistent game. Someone else may simply get code for client side (where most of effort is spent) and complete it with own server side code.

But as I said, I was expecting a discussion about security problems related to tools like Greasemonkey or so. They are even more pestering due to low level barrier aka some writes a script et voila then everybody uses.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...