Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Addressables Feature Request - Basic Encryption

Discussion in 'Asset Bundles' started by ScottPeal, May 22, 2018.

  1. ScottPeal

    ScottPeal

    Joined:
    Jan 14, 2013
    Posts:
    61
    It would be great if the new Addressables solution could incorporate a basic level of encryption on the asset bundles as they sit on the client PC. When a bundle is loaded, it would be decrypted before loading into memory. Maybe some hook for those who want the feature as I am sure this would have a minor performance hit.

    As we are more concerned about PC-based asset security verses mobile, maybe the asset bundle package could have a flag showing encrypted or not. This way the developer could choose to encrypt only the PC-based bundle builds verses the mobile ones.

    Thanks for the consideration.
     
  2. Reichert

    Reichert

    Unity Technologies

    Joined:
    Jun 20, 2014
    Posts:
    63
    I would like to do this eventually. I am thinking about it in the context of a full end-to-end solution (including content deployment and hosting).

    In the meantime, Addressables will make it much easier plug in your own solution here than in the past.
     
  3. Kirsche

    Kirsche

    Joined:
    Apr 14, 2015
    Posts:
    121
    If your application can decrypt the data, it's not safe. Don't waste your time.
     
  4. Kichang-Kim

    Kichang-Kim

    Joined:
    Oct 19, 2010
    Posts:
    1,008
    @Kirsche Of course, any data which can be decripted by client can be cracked. But making harder it is very important and works well.

    I want to hooking method on building assetbundle, like OnAssetBundleSerialized(byte[] bytes), OnAssetBundleDeserialized(byte[] bytes) for custom encryption.

    No more annoying two-step building ... (https://docs.unity3d.com/550/Documentation/Manual/protectingcontent.html)
     
  5. ScottPeal

    ScottPeal

    Joined:
    Jan 14, 2013
    Posts:
    61
    @Kirsche As a hoster of other people's content withing our media, it our responsibility to try to prevent the asset from being cracked on the client. If someone does in fact crack the client, then they have violated US law and our company is no longer liable for the acts of a criminal.
     
    Endahs and Kirsche like this.
  6. Arctous

    Arctous

    Joined:
    Aug 25, 2014
    Posts:
    26
    Is there any documentation on this? Or, an example project? If neither, can you please elaborate on how this could be accomplished?
     
  7. kennykwok12

    kennykwok12

    Joined:
    Aug 29, 2019
    Posts:
    1
    Strong hope Addressables feature contains
    Basic Encryption
     
    Unityzkcmkj likes this.
  8. tencnivel

    tencnivel

    Joined:
    Sep 26, 2017
    Posts:
    39
    Any news on this feature? that is definitely something that fits in the promise of addressables to make our life easier

    @unity_bill, could you give us some guidelines on how to implement this? or even better add a simple example in https://github.com/Unity-Technologies/Addressables-Sample?

    I have a very reasonable objective (not trying to make something bullet proof to advanced hacking): just trying to prevent people from getting the assets by simply using a tool like uTinyRipper.
     
    Last edited: Nov 5, 2019
    kyubuns likes this.
  9. MetaZhi

    MetaZhi

    Joined:
    Feb 18, 2013
    Posts:
    28
    could you give us some guidelines on how to implement this? @Reichert
     
  10. ScottPeal

    ScottPeal

    Joined:
    Jan 14, 2013
    Posts:
    61
    Any word on this request?
     
  11. Unityzkcmkj

    Unityzkcmkj

    Joined:
    Jul 22, 2020
    Posts:
    2
    Strong hope Addressables feature contains
    Basic Encryption
     
    Jinngoo likes this.
  12. perholmes

    perholmes

    Joined:
    Dec 29, 2017
    Posts:
    296
    I really don't agree encryption is something developers should have to roll themselves. Consider that every developer is potentially looking at a terms of service violation even for Unity Asset Store assets if assets are distributed in a manner that can be easily extracted. The addressables system is inducing developers to violate Unity's own agreement.

    It's absolutely bizarre that it seems reasonable that tens of thousands of developers should all independently create exactly the same encryption script. The whole point of a game engine is to absorb the common tasks so everybody doesn't have to build their own roads to drive on.

    Asset bundles should have basic encryption baked in. Unreal has this. It's probably just AES-256 with a pre-shared key. It's encrypted when packing, decrypted when unpacking, with a key that's baked into the project. It's transparent to the developer. Just create a key, click a checkbox, and you're done.

    Bill, I think you're a smart guy, but your rationale for why every single developer should duplicate this effort is wild.
     
  13. AlkisFortuneFish

    AlkisFortuneFish

    Joined:
    Apr 26, 2013
    Posts:
    970
    You are reading too much into the terms and conditions.

    Most AAA games don't have their assets encrypted, you can generally just extract them.

    "Exposing" assets to extraction by having them in asset bundles or built in game data (remember, those are not encrypted either) does not open you up to these clauses. Chucking them on the customer's drive as png and fbx or what not would.

    Also remember that let's say for the sake of argument you encrypt them, if you use Mono decompiling your code back to C# and even debugging your symbol-less release build is entirely trivial with dnSpy and the like, so extracting your keys is just going to happen. Even if you use IL2CPP, it would not be difficult for someone to extract your decryption keys, people do.

    To reiterate: practically every Unity game in existence that uses third party assets would be violating the T&C's in this case.
     
    FlightOfOne likes this.
  14. perholmes

    perholmes

    Joined:
    Dec 29, 2017
    Posts:
    296
    Indeed, you're probably not in violation of the terms of service. I'm only interested in increasing the level of skill needed to extract the assets, and it's not black and white. Someone who can extract unencrypted assets might not have the skills to decompile and locate a key, and it's not certain the key is even in the binary. I'm not trying to protect against a nation-state attack, only casual extraction using off-the-shelf tools. Unreal Engine does provide this.
     
    SmirelesWildWorks likes this.
  15. perholmes

    perholmes

    Joined:
    Dec 29, 2017
    Posts:
    296
    But I guess the correct standard for enough obfuscation is that it should be more difficult to extract the asset than to obtain a torrent of the same asset in its original form.
     
  16. XCPU

    XCPU

    Joined:
    Nov 5, 2017
    Posts:
    145
    It's using compression anyways, most of those libraries have an encrypt option builtin, tick box, password. Done.
    Just another step in loading. Maybe it's a speed concern, not every application is going to care though.
     
  17. FlightOfOne

    FlightOfOne

    Joined:
    Aug 1, 2014
    Posts:
    668
    Because return for investment is very low. Why waste your time and making things difficult for you and your team by adding another layer that you need to maintain and worry about.

    It is perfectly valid reason to wanting to discourage malicious activities and you should if you have the means for it. However, anyone with enough motivation and determination (e.g. steal or reverse engineer your product for financial gain) WILL get to your data. Most (I am going to say 99.99%) other developers don't bother with trying to sort through your garbage and figure out how your app works and try to steel it. They would just play your game and make something better. Yes, we definitely copy/paste code, but we don't copy and paste applications :p.

    If its like a multiplayer game and all it takes is checking one box (encrypt) and entering a key somewhere I'd do that to deter hackers and cheaters (ironically they will still figure out ways). And maybe invest more time architecting anti-cheat systems. But if it is a single player game I could careless if some kid tries to tinker with my game.

    I think, best way to "protect" yourself is by making new content and continuously updating existing content.
     
    Last edited: Oct 25, 2020
    mahdi_jeddi likes this.
  18. FlightOfOne

    FlightOfOne

    Joined:
    Aug 1, 2014
    Posts:
    668
    I not a lawyer and maybe someone from Unity should clarify, but I think what they mean is don't just leave it as a unity package outside of you bundles or as raw files (Textures, FBX, audio etc..) so all it takes is just opening your folder.
     
  19. Jinngoo

    Jinngoo

    Joined:
    Jun 2, 2020
    Posts:
    6
    Again
     
  20. LeFx_Tom

    LeFx_Tom

    Joined:
    Jan 18, 2013
    Posts:
    88
    Aaand again - push.
    It's - at the moment - really ridiculously easy to extract all assets, textures, scripts from the content bundles.
    On the other hand - browsers made it increasingly more difficult to grab/rip assets while they run onscreen. So while the whole "just grab mashes from gpu-memory" gets increasingly safer...the content itself from a unity application can simply be downloaded...

    We should have an improvement on this.
     
  21. Arctous

    Arctous

    Joined:
    Aug 25, 2014
    Posts:
    26
    It's been really quiet from Unity on this. :( Any news on the feature? Or, any instructions on how to roll our own?
     
  22. Jinngoo

    Jinngoo

    Joined:
    Jun 2, 2020
    Posts:
    6
    There is a Chinese version of Addressables "Addressables.CN".
    Here's the document: https://ucgbucket.unitychina.cn/AssetStreaming/AddressablesCN.pdf
    You may try this if you can read chinese :)
     
    ejx61s likes this.
  23. diego_sky

    diego_sky

    Joined:
    Oct 13, 2021
    Posts:
    1
    I summon the Code Elemental @unity_bill :)
    Any news on Asset Bundle encryption? Is it blocked by some technical or legal issue?

    Cheers
     
  24. kyubuns

    kyubuns

    Joined:
    Aug 6, 2013
    Posts:
    138
    It looks like it's been a few years, any updates?
     
  25. FlightOfOne

    FlightOfOne

    Joined:
    Aug 1, 2014
    Posts:
    668
    Honestly, I doubt this would ever get implemented as encrypting assets is not a really a big concern for vast majority of developers.