Search Unity

  1. Good news ✨ We have more Unite Now videos available for you to watch on-demand! Come check them out and ask our experts any questions!
    Dismiss Notice

Addressables Feature Request - Basic Encryption

Discussion in 'Asset Bundles' started by ScottPeal, May 22, 2018.

  1. ScottPeal

    ScottPeal

    Joined:
    Jan 14, 2013
    Posts:
    53
    It would be great if the new Addressables solution could incorporate a basic level of encryption on the asset bundles as they sit on the client PC. When a bundle is loaded, it would be decrypted before loading into memory. Maybe some hook for those who want the feature as I am sure this would have a minor performance hit.

    As we are more concerned about PC-based asset security verses mobile, maybe the asset bundle package could have a flag showing encrypted or not. This way the developer could choose to encrypt only the PC-based bundle builds verses the mobile ones.

    Thanks for the consideration.
     
  2. Reichert

    Reichert

    Unity Technologies

    Joined:
    Jun 20, 2014
    Posts:
    63
    I would like to do this eventually. I am thinking about it in the context of a full end-to-end solution (including content deployment and hosting).

    In the meantime, Addressables will make it much easier plug in your own solution here than in the past.
     
  3. Kirsche

    Kirsche

    Joined:
    Apr 14, 2015
    Posts:
    49
    If your application can decrypt the data, it's not safe. Don't waste your time.
     
    ProdiggaPA likes this.
  4. Kichang-Kim

    Kichang-Kim

    Joined:
    Oct 19, 2010
    Posts:
    558
    @Kirsche Of course, any data which can be decripted by client can be cracked. But making harder it is very important and works well.

    I want to hooking method on building assetbundle, like OnAssetBundleSerialized(byte[] bytes), OnAssetBundleDeserialized(byte[] bytes) for custom encryption.

    No more annoying two-step building ... (https://docs.unity3d.com/550/Documentation/Manual/protectingcontent.html)
     
  5. ScottPeal

    ScottPeal

    Joined:
    Jan 14, 2013
    Posts:
    53
    @Kirsche As a hoster of other people's content withing our media, it our responsibility to try to prevent the asset from being cracked on the client. If someone does in fact crack the client, then they have violated US law and our company is no longer liable for the acts of a criminal.
     
    Kirsche likes this.
  6. Arctous

    Arctous

    Joined:
    Aug 25, 2014
    Posts:
    26
    Is there any documentation on this? Or, an example project? If neither, can you please elaborate on how this could be accomplished?
     
  7. kennykwok12

    kennykwok12

    Joined:
    Aug 29, 2019
    Posts:
    1
    Strong hope Addressables feature contains
    Basic Encryption
     
    Unityzkcmkj likes this.
  8. tencnivel

    tencnivel

    Joined:
    Sep 26, 2017
    Posts:
    24
    Any news on this feature? that is definitely something that fits in the promise of addressables to make our life easier

    @unity_bill, could you give us some guidelines on how to implement this? or even better add a simple example in https://github.com/Unity-Technologies/Addressables-Sample?

    I have a very reasonable objective (not trying to make something bullet proof to advanced hacking): just trying to prevent people from getting the assets by simply using a tool like uTinyRipper.
     
    Last edited: Nov 5, 2019
  9. MaNiC

    MaNiC

    Joined:
    Feb 18, 2013
    Posts:
    25
    could you give us some guidelines on how to implement this? @Reichert
     
  10. ScottPeal

    ScottPeal

    Joined:
    Jan 14, 2013
    Posts:
    53
    Any word on this request?
     
  11. Unityzkcmkj

    Unityzkcmkj

    Joined:
    Jul 22, 2020
    Posts:
    1
    Strong hope Addressables feature contains
    Basic Encryption
     
  12. perholmes

    perholmes

    Joined:
    Dec 29, 2017
    Posts:
    62
    I really don't agree encryption is something developers should have to roll themselves. Consider that every developer is potentially looking at a terms of service violation even for Unity Asset Store assets if assets are distributed in a manner that can be easily extracted. The addressables system is inducing developers to violate Unity's own agreement.

    It's absolutely bizarre that it seems reasonable that tens of thousands of developers should all independently create exactly the same encryption script. The whole point of a game engine is to absorb the common tasks so everybody doesn't have to build their own roads to drive on.

    Asset bundles should have basic encryption baked in. Unreal has this. It's probably just AES-256 with a pre-shared key. It's encrypted when packing, decrypted when unpacking, with a key that's baked into the project. It's transparent to the developer. Just create a key, click a checkbox, and you're done.

    Bill, I think you're a smart guy, but your rationale for why every single developer should duplicate this effort is wild.
     
  13. AlkisFortuneFish

    AlkisFortuneFish

    Joined:
    Apr 26, 2013
    Posts:
    837
    You are reading too much into the terms and conditions.

    Most AAA games don't have their assets encrypted, you can generally just extract them.

    "Exposing" assets to extraction by having them in asset bundles or built in game data (remember, those are not encrypted either) does not open you up to these clauses. Chucking them on the customer's drive as png and fbx or what not would.

    Also remember that let's say for the sake of argument you encrypt them, if you use Mono decompiling your code back to C# and even debugging your symbol-less release build is entirely trivial with dnSpy and the like, so extracting your keys is just going to happen. Even if you use IL2CPP, it would not be difficult for someone to extract your decryption keys, people do.

    To reiterate: practically every Unity game in existence that uses third party assets would be violating the T&C's in this case.
     
  14. perholmes

    perholmes

    Joined:
    Dec 29, 2017
    Posts:
    62
    Indeed, you're probably not in violation of the terms of service. I'm only interested in increasing the level of skill needed to extract the assets, and it's not black and white. Someone who can extract unencrypted assets might not have the skills to decompile and locate a key, and it's not certain the key is even in the binary. I'm not trying to protect against a nation-state attack, only casual extraction using off-the-shelf tools. Unreal Engine does provide this.
     
  15. perholmes

    perholmes

    Joined:
    Dec 29, 2017
    Posts:
    62
    But I guess the correct standard for enough obfuscation is that it should be more difficult to extract the asset than to obtain a torrent of the same asset in its original form.
     
  16. XCPU

    XCPU

    Joined:
    Nov 5, 2017
    Posts:
    134
    It's using compression anyways, most of those libraries have an encrypt option builtin, tick box, password. Done.
    Just another step in loading. Maybe it's a speed concern, not every application is going to care though.
     
unityunity