How safe Is my decrypted method in the final app?

Post reply

❤Follow Topic(3)

0 favourites

5 posts

From the Asset Store

Telegram Mini Apps SDK

$15 USD

Easily integrate Telegram Mini Apps SDK into your Construct 3 projects for building interactive apps and games.

lostinmind.

- DeltaStarStudios
- - Joined 18 Jul, 2016
  - 38 topics • 111 posts
- 1
- 25 May, 2022
- Quote
Hello All!

I'm building an app that allows the user to hide a file within another file. My question is, if the app handles the files reading and decrypting, how safe are the internal methods from discovery?

I have a working prototype and now am wondering if I seriously need to consider doing this with a server to ensure the method is safe. Or wondering if using the advanced minify option would sufficiently obfuscate how it works.

Thanks!
- Ashley Construct Team Founder
- Moderator
- - Joined 21 May, 2007
  - 669 topics • 30,350 posts
- 1
- 25 May, 2022
- Quote
Minifying code will obscure it, but obscurity is not security. All the code will be there on the client side and if someone can figure out how to activate it themselves, they will be able to use it to decrypt anything they like.

Doing it on the server will obscure the code even more (as it's no longer on the client), but once again that is not the same thing as being secure. If it's theoretically possible for the information to be decrypted on the client, it could be reverse engineered or brute forced.

If you want a truly secure option, you should use existing software designed by security experts. Anything you build yourself is unlikely to be truly secure. I've worked in software since 2007 and I would not trust myself to build something truly secure, as I haven't got expertise in building cryptographically secure systems.
- DeltaStarStudios
- - Joined 18 Jul, 2016
  - 38 topics • 111 posts
- 1
- 25 May, 2022
- Quote
Thanks Ashley

What I'm hearing you say is, if the method is on the user's device, it is vulnerable to discovery. If the method is on my server, and the user only sends and recieves files, it's possible to reverse engineer the method unless sufficient cryptographic techniques are taken to ensure comparing the encrypted file and the source file won't yield a solution.

Is that right?
- Ashley Construct Team Founder
- Moderator
- - Joined 21 May, 2007
  - 669 topics • 30,350 posts
- 1
- 25 May, 2022
- Quote
My main advice is not to invent your own cryptography, because it probably won't be fundamentally secure.

It depends on what you're doing - don't do this for secret government documents, you will cause a disaster. But if you're happy to merely obscure something so it's difficult to casually view, and it doesn't matter that much if someone puts in a lot of time and effort and cracks it, then some kind of not-really-secure scrambling scheme might be good enough.
Try Construct 3

Develop games in your browser. Powerful, performant & highly capable.
Try Now Construct 3 users don't see these ads
- DeltaStarStudios
- - Joined 18 Jul, 2016
  - 38 topics • 111 posts
- 1
- 25 May, 2022
- Quote
Thanks Ashley

Sounds like a server might be my best option. I hear you on the security vs obfuscation piece. Users should just encrypt their files using their encyptian method of choice before hiding them.