NW.js Is Vulnerable (Developer Tools Can Be Accessed!)

Bugs will be moved here once resolved.

Post » Mon Aug 15, 2016 2:15 pm

newt wrote:It's the same for html5 web exports, they just have to know where to look.
In fact all someone needs to show your game somewhere else is to know where the index file is.
Its up to the host to block that kind of thing, which of course may also limit the games functionality.
Its up to you to sitelock your games, and of course they don't provide that information readily.
Not sure htf you're supposed to do that with nwjs.

Im my case only the NW.js part would be important.
I find it very concerning that the exported end-product lacks in security, I hope that C3 brings changes to that.


I remember a few years ago, I found a clever way of security for open art assets like these.
It was some sort of software creator (cannot remember the name of it)
and the way that their software handled this problem was by injecting a watermark layer to all art assets.

So can guess the process was structured like this:
1. Load asset with watermark
2. Remove watermark
3. Show asset inside the software without watermark

I have no clue how they managed to create a system like that because I was unable to remove the watermark,
using any kind of image editing software with layer support. (e.g. Photoshop, Paint.Net)
I don't want to be rude with this suggestion either, I just want to give an example on how to secure assets.
ImageImageImage
B
63
S
23
G
78
Posts: 661
Reputation: 44,935

Post » Mon Aug 15, 2016 2:32 pm

I'm not sure what you think watermarking will do.
People don't steal assets, they steal entire games.
Image ImageImage
B
169
S
50
G
174
Posts: 8,328
Reputation: 110,800

Post » Mon Aug 15, 2016 2:43 pm

newt wrote:I'm not sure what you think watermarking will do.
People don't steal assets, they steal entire games.

I want to secure my art assets, at least that way we could stop the "inexperienced" pirates from stealing and making their copy-cat games with our assets.

You cannot stop advanced game pirates, that's impossible just look at the big guys with their AAA games and security systems, in which they invest thousands of dollars monthly.
It took them like what, 4-5 months to crack their cryptions and security layers?
Anyway, asking for fully "pirate save" C2 games would be too much I think.
ImageImageImage
B
63
S
23
G
78
Posts: 661
Reputation: 44,935

Post » Mon Aug 15, 2016 5:41 pm

@TheRealDannyyy

If you don't want to distribute in Steam then you could try Enigma Virtual Box as described in the NWjs Github repository (it will hide your NWjs files inside an exe file).

As Ashley was informed in his question to the NWjs gurus here 2 years ago, there is no point in obfuscating or hiding any game assets - if your game can decrypt the assets then so can a hacker. Thus your best bet is to simply leave everything in the package.nw file, which will deter most casual investigators.

As to if there is anything else you can do - that really depends on what sort of piracy you wish to prevent... But, if your game is on Steam then it can only be played on Steam - by registered Steam users - because the Steam plugin checks for a Steam client login. Thus any game you make for the Steam platform will only be played by people who have bought it.
A big fan of JavaScript.
B
74
S
20
G
71
Posts: 2,230
Reputation: 44,892

Post » Mon Aug 15, 2016 5:55 pm

Colludium wrote:...
As Ashley was informed in his question to the NWjs gurus here 2 years ago, there is no point in obfuscating or hiding any game assets - if your game can decrypt the assets then so can a hacker. Thus your best bet is to simply leave everything in the package.nw file, which will deter most casual investigators.

Good to read that there was at least an attempt to prevent that.


Colludium wrote:As to if there is anything else you can do - that really depends on what sort of piracy you wish to prevent... But, if your game is on Steam then it can only be played on Steam - by registered Steam users - because the Steam plugin checks for a Steam client login. Thus any game you make for the Steam platform will only be played by people who have bought it.

And then there are fake Steam clients that only require the game files, however it's good to know that Madspy is giving the pirates a good fight, with his ways of protection inside his Steamworks plugin. I guess in the end I will have to rely on nice and honest customers, that support you and your games.
Last edited by TheRealDannyyy on Mon Aug 15, 2016 10:36 pm, edited 2 times in total.
ImageImageImage
B
63
S
23
G
78
Posts: 661
Reputation: 44,935

Post » Mon Aug 15, 2016 9:23 pm

As pointed out, if someone wants to steal content from your game, removing devtools won't help stop them.

TBH the most effective protection against people stealing your work is copyright law. Whatever technical measures you put in place can be circumvented: if your game can read it, so can anyone trying to steal it. Everything else is just security through obscurity, and anyone who knows anything at all about security knows that's not much security at all.

Further, adding security can have serious side-effects for legitimate customers as well. Suppose you decide to encrypt all your game's assets. If your game is 500mb big, then on startup it has 500mb of content to decrypt, which could take a while on some systems. So now all your customers - including those who have paid - have a worse experience because you're paranoid someone's going to steal stuff. And they still can - there are tools which can pull the decrypted assets directly out of RAM. So the whole thing is kind of pointless.
Scirra Founder
B
398
S
236
G
88
Posts: 24,433
Reputation: 194,635

Post » Mon Aug 15, 2016 10:25 pm

Ashley wrote:As pointed out, if someone wants to steal content from your game, removing devtools won't help stop them.

True, besides that concern I just wanted to hide the fact that the game runs in a browser-like environment.
So by blocking the right click menu using args I've achieved that goal for my game.


Ashley wrote:TBH the most effective protection against people stealing your work is copyright law.

Yeah, that's a possible way to secure your content from others using it commercially at least.

Well, I don't know what to say about this anymore, everything seems to be pointless.
I could pull comparisons on how other engines handle this but it would all result in the same thing I guess.
I will leave everything as is and hope that I won't find a stolen copy of my game or its art assets on any semi-popular gaming platform soon.
ImageImageImage
B
63
S
23
G
78
Posts: 661
Reputation: 44,935

Post » Mon Aug 15, 2016 11:59 pm

@TheRealDannyyy and you will.
"Hackers" or "Pirates" are not the issue here. They don't care about your assets, they just want to crack your game so other people can play it for free.
The real issue here are "modern teenage devs" raised on internet and cracked games. Too lazy or too cheap to make/paid for their own assets they will take all your shit and use it like they made it. They made that shit and mess on Arcades, Steam Google etc.

Every single game engine I have played with from AGS to UE4 have some sort of "packaging" after exporting game assets (we are talking about desktop games only, no mobile or browser)... But none of them let's you access game files in less than 3 seconds. NW.js is still the winner here :D
ImageImageImageImage
B
157
S
66
G
42
Posts: 2,603
Reputation: 35,343

Post » Tue Aug 16, 2016 12:09 am

You could encode everything into base64 strings, and load it that way.
It would bloat the already bloated nwjs export of course.
Image ImageImage
B
169
S
50
G
174
Posts: 8,328
Reputation: 110,800

Post » Tue Aug 16, 2016 9:40 am

@TheRealDannyyy @shinkan Old news. Me and many others had been reporting this from like forever. No one gave a damn back then, and I don't think they started caring here and now. Plus, they are too busy adding that Xbox support that no one will ever use :D
B
28
S
8
G
7
Posts: 643
Reputation: 6,457

PreviousNext

Return to Closed bugs

Who is online

Users browsing this forum: No registered users and 12 guests