koobas.hobune.stream
How to secure important data in code
Hello,
I have a code that downloads levels from an ftp server link that requires a username and password, how do I protect the link, username, and password from hackers or reverse engineers? My code looks like this:
public tk2dTextMesh msg;
public LevelList levels;
void LoadFromWWW()
{
StartCoroutine(link());
}
IEnumerator link()
{
string form = "&Username=username" + "&Password=mypass";
WWW www = new WWW("ftp://myServer.COM/gameData/levels.xml" + "/?" + form);
yield return www;
if (!string.IsNullOrEmpty(www.error))
{
msg.text = "Error: " + www.error;
}
else if (!string.IsNullOrEmpty(www.text))
{
// convert string to stream
byte[] byteArray = Encoding.UTF8.GetBytes(www.text);
MemoryStream assetStream = new MemoryStream(byteArray);
XmlSerializer xml = new XmlSerializer(typeof(LevelList));
levels = xml.Deserialize(assetStream) as LevelList;
msg.text = levels.list.Count.ToString();
assetStream.Close();
}
else
msg.text = "Empty";
}
I read somewhere that someone may open my code somehow and can read my link easily, what should I do?
Using encryption, like md5. Plenty of example overt the internet.
I'm sorry but it seems that I wasn't clear enough, I'm writing my own pass and username in the code itself as you can see in my code. What I'm afraid of is that someone may break my published build and do reverse engineering and manage to open my code. He can read my link, pass and password right of the code.
The answer is simple:
Don't store such data in the client
Use temporary credentials which are generated "on the fly" on the server and only last for limited time.
The general rule is: You can't store such information in a secure way on the client side.
Fact is if you allow access to a certain resource on your server, it can be accessed. The only way to limit that access is on the server side. If you want to offer certain resources only to certain users, it's a matter of how do you identify / distinguish those users on the server side?
If you're not interested in hiding certein resources / levels from those who aren't allowed to load them, there's no need to secure anything. If all users should be able to download the levels, just use a generic FTB user + password. Make sure that user only has read access to the desired files.
Such things are usually easier to handle on a webserver with PHP or any other serverside scripting language.
Ok, clear enough. So putting the link with username and password like that in the code isn't a secure way.
