Minifying service in r358 and security

0 favourites
  • 4 posts
From the Asset Store
Find and Destroy all computer malware in this lighthearted security game.
  • Now that minifying is done with a remote service with r358+ (I'm assuming the service is hosted by Scirra), how is security of our information/code being handled during minifying? What data is being transmitted? Is the data encrypted at rest and in transit? Is this called out anywhere in the Scirra terms of service?

    Thanks

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • What data is being transmitted? Is the data encrypted at rest and in transit? Is this called out anywhere in the Scirra terms of service?

    Good question, I think we do not know much about this but you said

    "How is the security of our information/code being handled during minifying?"

    I assume it's the same security we get when we generate the AAB/APK when opting for their service.

    But if the code is really sensitive, then there's always a way we can download the Android Studio file, the Cordova file, or the XCode project and export the output ourselves.

  • In short, the code sent to the minify service does not include any personal information, does not include much information about your project, and is not permanently stored. I believe it to be fully compliant with our existing privacy policy.

    Here's a few more details about precisely what it does and how it works. If you export a project with minify disabled, you'll find a lot of engine code in the files c3runtime.js and main.js. When you minify your project these files are sent to the minify service, which runs Closure Compiler on them, and then sends them back again.

    These files contain the stock Construct engine code used for all Construct projects. Why don't we just ship minified engine code with Construct itself? The problem with that is for efficiency, Construct only exports code from the plugins, behaviors and effects your project actually uses. That can also include code from third-party addons too. So the engine code does end up changing, but only because it's a combination of different pre-defined components to suit your project. Further, the engine code does also include any JavaScript code you write in your project, either in event sheets or script files. So the code sent to the minify server does include your project's JavaScript, and strictly speaking implicitly contains the list of addons used by your project. However this is not enough information to reverse-engineer your project. For this reason I used the phrase "does not include much information about your project" rather than "does not include any information about your project".

    To be clear, the actual information describing your main Construct project is not sent to the minify server. The main project-specific data is stored in data.json, and in all the other assets as image files, sound files etc; none of that is sent to the minify server.

    The code that is sent to the minify server is encrypted in transit in both directions. It is decrypted for the purposes of performing minification, and then as soon as the minified result has been transmitted back to the client, all files are promptly deleted. So decrypted engine code will remain on the server for perhaps a couple of minutes before deletion. There are also various failsafes to make sure that in the event of an error, or even a server crash, the working files will be deleted. In the event the minify server was compromised and the information leaked, it would potentially expose any JavaScript code written in your project. If that is for any reason a problem for you, there is the option of manually minifying your code locally: export from Construct with no minification, and then use a third-party tool to minify the code in c3runtime.js and main.js.

    Hopefully that helps clear up any concerns about what it does and how it works.

  • Thanks Ashley for this excellent and thorough overview. Makes me more confident in using the service.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)