You could add complexity to the process by encrypting the credits before
placing them in the local store. Naturally this means the key would be
stored in the player, but the normal user probably isn't sharp enough to
be able to decompile and find the key, let alone figure out how to
access the local store.
Another issue might be the local store getting wiped out accidentally
from the user tinkering with the flash player settings.
So I suppose 'secure' is a relative term :)
-V
Céline Nguyen wrote:
Tim, thank you for your answer.
Yes this is an issue, the client wants to run the game mostly offline.
Go online only to download more credits (ex.100 more in one shot and
download all of them and run them one by one locally).
I was thinking of repackaging the swf with FlashStudio
(http://www.multidmedia.com) so it can be distributed as an exe and use
a shared object to store the credits locally. This solution has been
suggested in a previous posting : November 09, 2004
I know there's no 100% secure solution, but I am wondering if it's still
the most secure solution to suggest to this client.
----- Original Message ----- From: "Tim" <[EMAIL PROTECTED]>
To: "'Flashcoders mailing list'" <flashcoders@chattyfig.figleaf.com>
Sent: Tuesday, August 01, 2006 6:32 PM
Subject: RE: [Flashcoders] security issues - offline application
Credits should be downloaded from the internet and then the user can
play
offline as long as he has enough "credit". If he has no more, he has to
connect to the internet again and download / buy more.
So my question is, what's the best way of programming this activation
process with the maximum of security.
For example what if after downloading credits the user makes an image
disk
of his computer, and reinstall it whenever the credits are empty ?
You could store the credits server side rather than "downloading"
them. Each
time a user played the game a credit can be deducted from the user's
online
account via a script call. That way even if they wiped their hard
drive and
started again you have a record of how many credits they have
remaining (but
it would require internet access each time the game was played - I don't
know if that's an issue).
Whatever solution you come up with would be open to abuse though given
the
nature of Flash. For example, with the suggestion above a user could
decompile the game, hard-coding the expected response from the server and
publish it again to get unlimited credits (obfuscating your code would
make
the process more difficult but not impossible).
Tim
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com