Best practice for secure coding

Any one here got a list of steps that can be put in to a best practice for secure coding?
Rahuxx

 

Secure as in? Are you trying to prevent someone stealing your code? Or are you trying to prevent cheating? Or are you handling financial transactions?

 

secure stealing of code from builds is what I mean.

 

Unity absolutely sucks at this. On PC builds your assembly files sits right out in the open, and can be easily opened in ILSpy or even directly into a code editor.

You can do some obfuscation. But even that has heavy limits, you can't rename methods like Update without things falling apart.

If you really need code protection best bet is to put it on a server and access it remotely.

I'll leave it to someone else to point out that your code is unlikely to be worth stealing.

 

I'm sure putting everything into 'Resources' Folder actually helps keep it protected not 100% sure on that but I've been told by a few people. I normally just put my scripts in folder titles $_PlanetGen, $_TerrainMap inside my resources folder. Obviously yours would be titled different.

 

No. Putting scripts in different folders doesn't make a difference.

Open the data folder of one of your PC builds, or someone else's. See how long it takes you to get the scripts open.

 

Only thing I see is .asset files and everything - don't actually know what to look for as I'm not a thief so I wouldn't rob code from a finished project lol

 

Putting stuff in a Resources folder actually makes it be included in the project verbatim. This is probably the worst possible thing you could do if you wanted guard your code.

 

Ahh see the whole world can have my code if they want lol it's IF they understand how procedural planets work though is if they will get anywhere with the code hahahaha.

 

And what about builds done with WebPlayer and WebGL targets ?

 

Most likely the same issue as it builds everything the same just different file formats

 

WTF Unity Technologies, you need to fix this, I don't want the first script kiddie to steal my code meh

 

In the pro version I seen someone once make their own launcher and within the launcher it downloaded the files from their website and stored it somewhere not sure where but the only thing the player could access was the .exe application of the game might be worth looking into

 

That's not solving any problems. The files would have been downloaded somewhere like in TEMP Windows files or in AppData/LocalLow or something like this. That doesn't prevent anyone from copying the files somewhere else to decompile it.

 

Let's look at 3 scenarios:

1. You work hard on your game but abandon it somewhere along the line.
2. You complete a game and it's moderately successful.
3. You complete a game and it does better than your wildest dreams and you buy the second most expensive property in California and you hang with Notch who is your new neighbor.

In scenario 1, which is the most likely, you've wasted a lot of time thinking and planning on how to keep anyone from seeing your code. This time would have been much better spent actually writing some code that contributed to your having an actual game.

In scenario 2, nobody cares about stealing your code, so you've wasted time thinking about how to prevent it.. This time would have been much better spent adding some polish to your game.

In scenario 3, someone will want steal your game and pirate it, maybe someone will be interested enough to want to see how you did something and steal your code. These people will steal your game, and they will steal your code. There is absolutely nothing you can do to prevent it if someone wants it bad enough, so any time you've spent designing something to prevent it is time wasted. Spend that time adding another boss to your game.

Or make your game open, support modding, build a community by sharing. You're likely to be more successful that way anyway.

 

Or make Unity support Brainfuck language. I'm not sure anyone would be dumb enough to loose something like 100 hours of his life to understand a simple for loop. I'm not sure also that a developper would be ready to loose 10 000 hours of his life to figure out how to write this loop.

 

I once spent hundreds of hours reverse engineering Bungie's Myth TFL server which went offline after they were bought by Microsoft. I'm Marius from this interview. If someone wants it, they will get it.

 

1) Myth TFL was a truly amazing, exceptionally awesome game.

2) .NET is designed around providing source code to the users, which is compiled at run-time to provide the best performance and portability that it can. That is one of the design goals of .NET, that you give source code to users. That source code is in the form of IL, but it is still fairly easy for savvy users to decode, and there is no good way around it except to not use .NET. Which leads to #3...

3) If you want to prevent users from decompiling your source, don't write it in a language that is compile to IL. Write the majority of your important, secretive logic in native C++ dlls. Then write C# wrapper objects to call your native code. This way you can protect the highly valuable algorithms as needed.

 

1. Yes, it was. Still nothing like it.

3. Pretty sure there are decompilers for those as well. Worst case you can disassemble them and hack them that way. Not as easy, but doable if you really want it. It's a young man's game though - no way I would ever spend the time to do that sort of thing anymore.

 

Uh my, I've just downloaded ILSpy to see what you could find in the data folder of a windows build, all the code is sitting there without any protection.

 

To be fair, this isn't a Unity thing but a .NET thing. It's also not your actual source code but IL (Intermediate Language). ILSpy is decompiling the IL into C# syntax.

 

So, the last thing available to protect your code is:
Step 1 - Stop creating anything that a computer can run ( game, software, website, ... )
Step 2 - Leave everything you have
Step 3 - Take a plane to a random location, the plane must fly over seas and islands.
Step 4 - Randomly jump from the plane, preferably with a parachute and over an island.
Step 5 - Be sure that there is absolutely not other humans on the island.
Step 6 - Start writing your code on the sand, the wind and water will erase it from time to time, you will be protected from people trying to decompilate your sand code. Don't forget to protect your code from satellites by using tree leaves.