How to securely implement an Android/IOS MCQ game

twinbaby

Master Member
Joined
Jul 8, 2014
Messages
3,563
Reaction score
598
I realise there is a Unity 3D version of the game that that stores the MCQ questions and answer into Assets/Bin/Data and Data/Asset.Resources in cleartext. Is it possible to encrypt these resource so that anyone who unzip the .ipa and .apk won't be able to read the data inside the game.

I am thinking of using encrypted SQlite and streaming questions and answer via a server however this is mean to be a standalone game without any API call to the backend.
 

davidktw

Arch-Supremacy Member
Joined
Apr 15, 2010
Messages
13,391
Reaction score
1,180
I realise there is a Unity 3D version of the game that that stores the MCQ questions and answer into Assets/Bin/Data and Data/Asset.Resources in cleartext. Is it possible to encrypt these resource so that anyone who unzip the .ipa and .apk won't be able to read the data inside the game.

I am thinking of using encrypted SQlite and streaming questions and answer via a server however this is mean to be a standalone game without any API call to the backend.
So how is the your mobile app going to decrypt the data ?

For iOS, you can encrypt only specifically for that one user and store the decryption key in the user's iOS security enclave. You may wanna read up more in this area. I suspect that will also means first time encryption has to be done at the backend for each individual user.

I personally don't have experiences using it practically, but this will be a workflow I would suggest for your consideration.

One first installation of the software, a key pair/symmetric key will be generated by the security enclave. If you have no need to communicate securely with the backend, then this key pair/symmetric key will be stored locally in the device. It is not found in the IPA and only stored in the hardware security module(HSM) in an iOS device. All encryption/decryption will happen in the memory on the fly.

If you need to communicate with the backend, send the public key to the backend and store under (user, device) pairing. Since each device for the same user will generate different key. Encrypted data send by the backend to the mobile app will be encrypted using the (user, device) public key, which then can only be decrypted using the private key stored in the HSM. If your payload is large, you will want to consider generating dynamic symmetric session key to encrypt the payload for each encryption, and only encrypt the session key with the public key, so that encryption/decryption process of the large payload will be faster, since public cryptography is relatively slower compared to symmetric cryptography.

Hope it helps answer your doubt.

:)
 
Last edited:

twinbaby

Master Member
Joined
Jul 8, 2014
Messages
3,563
Reaction score
598
Is there anyway to obfuscated the resource for Android and IOS?

https://github.com/shwenzhang/AndResGuard

For iOS, you can encrypt only specifically for that one user

The IOS/Android app is going to be installed for multiple users.

Btw it is currently 1-tiered architecture. Will it take a lot of effort to convert to 3-tier. Anyway one of the requirement is to submit the scores online.
 

davidktw

Arch-Supremacy Member
Joined
Apr 15, 2010
Messages
13,391
Reaction score
1,180
Is there anyway to obfuscated the resource for Android and IOS?

https://github.com/shwenzhang/AndResGuard



The IOS/Android app is going to be installed for multiple users.

Btw it is currently 1-tiered architecture. Will it take a lot of effort to convert to 3-tier. Anyway one of the requirement is to submit the scores online.

I think for Android, it normally leverage on ARM’s Trustzone. I can’t say all android hardware implementation have it as much as all Apple iOS devices have it already for years.

Obfuscation doesn’t offer security. You store your credentials or keys in the source code or resources, it will be always there in plaintext.

What is your 1-tier and 3-tier referring to? Backend? How is that related?

:)
 

Trader11

Arch-Supremacy Member
Joined
Oct 14, 2018
Messages
14,661
Reaction score
4,608
I realise there is a Unity 3D version of the game that that stores the MCQ questions and answer into Assets/Bin/Data and Data/Asset.Resources in cleartext. Is it possible to encrypt these resource so that anyone who unzip the .ipa and .apk won't be able to read the data inside the game.

I am thinking of using encrypted SQlite and streaming questions and answer via a server however this is mean to be a standalone game without any API call to the backend.
Are you saving the answers in the app? Know that anyone can decrypt it if they are smart to know where you store the key
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top