block ap id
Options
friuns
✭
hi, how can i block ap id? my free android app stolen and they sell it
0
Comments
-
0
-
friuns wrote:hi, how can i block ap id? my free android app stolen and they sell it
and what makes you think that blocking the ap id changes the game?
Doesn't do so, you should simply update the app to require a valid session aquired from a login webservice that verifies the validity of the app and rejects all illegal copies.0 -
Well, if it can't successfully authenticate on the server anymore, then the illegal copy, which is using the old appID, won't support any multiplayer anymore, so this is useful to stop them from being used now, when its too late to build in any additional security checks with an external login webservice yourself into those old copies.dreamora wrote:friuns wrote:hi, how can i block ap id? my free android app stolen and they sell it
and what makes you think that blocking the ap id changes the game?0 -
Right but they can update the app id whenever he does0
-
Therefor they would have to know the new one.dreamora wrote:Right but they can update the app id whenever he does0 -
Which is granted to be known unless he decides that the app will never be updated again.0
-
The only ways for them top update the appID are either having source access to both the old and the new version or updating to a complete new binary. So he can definitely stop them from using the old binary this way and this is the intention from blocking the appID, as he can built in new security checks into the new binaries, but not into the old ones, which are already out there, as he can't force anyone to upgrade them, so it makes sense to stop them from just using the old binaries by deactivating their access to the cloud via blocking their appID.dreamora wrote:Which is granted to be known unless he decides that the app will never be updated again.0 -
You are right, people that don't upgrade are dropped out, thats true.
But thats the only thing that the app id deactivation does, for different reasons:
1. This is PUN so we talk about Unity
Unity generates IL code thats readable.
But even if not, strings are easily readable within the generated code already without that.
So it does not matter. As long as he does not protect the MP through a login that is able to differentiate between legal and illegal, he either goes offline or he will have the pirates on that are on a current version of the replicate.
2. If he releases an update with a new app id, it can simply be pirated again.
On Android its requires basically nothing to do that unless you have a proper and save LVL verification against the live chrome backend as you do not even need to root the device, on iOS its a matter of minutes for unity applications too which opens it up to every jailbroken user afterwards (you would need to sell the mp as a IAP so you can verify the IAP as that traditionally prevents illegal spins)0 -
As I said: Blocking the old appID will prevent the old already hacked clients from playing. Of course, as also already said, he will have to build in additional security for the version with the new appID, to not get hijacked again, but that doesn't change that it is useful to block the old appID, if there is no other option to deactivate the already hacked clients from future use, because even the best security for newer clients won't keep people from just using the old ones.0
-
friuns: Are you also going to ask Google to take the application down from their store, cause it's a stolen app? Is that working?0
-
will entering string variable in inspector (instead of hardcoding it in a code) help a bit?
obfuscation of some of the code might help too, no?0 -
yep its already down, no need to change app id)Tobias wrote:friuns: Are you also going to ask Google to take the application down from their store, cause it's a stolen app? Is that working?
dreamora, i dont think its hackers, its just stupid users who want make money on my game)0 -
Definitely not. We do sent the whole authentication operation, which is the only time, when we are sending the appID at all, encrypted by default and you have to explicitly turn this behavior off to send it in plaintext.dreamora wrote:gnoblin wrote:will entering string variable in inspector (instead of hardcoding it in a code) help a bit?
obfuscation of some of the code might help too, no?
No, it has to be sent over the tcp in plaintext, that moment its known.
So its trivial for crackers to get it0 -
friuns wrote:
yep its already down, no need to change app id)Tobias wrote:friuns: Are you also going to ask Google to take the application down from their store, cause it's a stolen app? Is that working?
dreamora, i dont think its hackers, its just stupid users who want make money on my game)
If thats the case then its naturally bad.
Did you make use of the basic security features available on Android and exposed by unity?
@Kaiserludi: on what versions of PUN would this hold true?0 -
Phew, maybe a better question for Tobi or Leepo than for me.dreamora wrote:@Kaiserludi: on what versions of PUN would this hold true?0 -
We enabled this recently in 1.8. Before that, encryption was not working 100% in Mono/Unity.0
-
I just found that the event flow is correctly implemented and that authenticate is still sent unencrypted in PUN v1.8.
Sorry for that.
I will fix this for PUN v1.9.0
