SlideShare a Scribd company logo

[UniteKorea2013] Protecting your Android content

William Hugo Yang
William Hugo Yang

유나이트 코리아 2013 발표자료: 안드로이드에서의 스크립트 암호화 및 에셋 보안 (에릭 헤밍)

TechnologyEducation
1 of 42
Download to read offline
Protecting your Android content Erik Hemming Unity Technologies Mobile Mechanic & Lead Android Developer
4 Apr 2013 Page About me • Developer at Unity / Sweden • 3 years of Unity for Android • Used to make games • Battlefield series • Focus on mobiles and consoles • Android / PSM / VITA & PS4 2
4 Apr 2013 Page Agenda • Unity on Android - what does it mean? • Authentication with Google Play Licensing • Application tampering detection • Code Obfuscation • Encryption of • PlayerPrefs • Scripts • Assets • Conclusion / Q&A 3
4 Apr 2013 Page Unity on Android 4
4 Apr 2013 Page Unity on Android (overview) 5 Linux Kernel Android / Dalvik VM Unity on Android Mono VM User script / “Game” OS App
4 Apr 2013 Page Unity on Android (detail) 6 C# / Scripts Dalvik (Java)
4 Apr 2013 Page Unity on Android (detail) 7 AndroidJavaObject java.lang.Object
4 Apr 2013 Page AndroidJavaObject et al • Script objects wrap Java objects • AndroidJavaObject → java.lang.Object • AndroidJavaClass → java.lang.Class • AndroidJavaRunnable → java.lang.Runnable • AndroidJavaProxy → java.lang.reflect.Proxy (in Unity 4.2) • Automatically maps / instantiates Classes by name • Methods / Fields are handled through reflection lookups 8
4 Apr 2013 Page 9 java.lang.String str = new java.lang.String("some string"); int hash = str.hashCode(); AndroidJavaObject jo =         new AndroidJavaObject("java.lang.String", "some string"); int hash = jo.Call<int>("hashCode"); Java C# AndroidJavaObject (example)
4 Apr 2013 Page Authentication with Google Play Licensing 10
4 Apr 2013 Page Authentication with Google Play Licensing • Provided by Google • Only available for applications published on Play Store • Online verification of purchase records • If the device is offline the verification will “fail” • Example code (LVL) provided by Google • Don’t use as-is - very easy to find and hack 11
4 Apr 2013 Page Verification Flow • Application → {random number} → Google • Google → {message, signature} → Application • message = purchase status + random number + timestamp + (..) • signature = RSA(message, private key) • Verify that RSA(signature, public key) is a match for ‘message’ 12
4 Apr 2013 Page How to handle the offline case • “Online check” == “Internet access” • Don’t require constant internet access • that would ruin the game experience while flying / roaming / etc. • Instead do the checks only if network is available • allow the app be used a week (or so) without being verified • trust the app/user during that time. • If your app has game elements that require internet connection, make sure you also do a license check at that point. 13
4 Apr 2013 Page Server Side Verification • Application → {some number / data request} → Google • Google → {message, signature} → Application • Application → {message, signature} → Server • Server → {application data} → Application • Server only fulfill Client requests that have correct ‘signature’ 14
4 Apr 2013 Page Unity Plugin : Google Play License Verification • Written in C# • Except for the small Service Binder (Java) - loaded dynamically • Easy to embed / hide anywhere in your project • Available on the Unity Asset Store • Ready to be included into an existing project • Original project hosted on GitHub • Feel free to fork and improve 15
4 Apr 2013 Page Application tampering detection 16
4 Apr 2013 Page Application tampering detection • Why? • A hacker would have to remove and/or alter licensing checks • and thus change the code in your application • Also possible to change code to gain in-game advantages • Like changing the physics so that a car drives faster • In general a very easy way to determine if you’ve been hacked 17
4 Apr 2013 Page Application tampering detection • Make sure the application is signed with your key • Make sure the Java code (classes.dex) isn’t altered • Make sure the Mono class library (mscorlib.dll) isn’t altered • if the License check is done in C# we will rely on it • Make sure your script code (Assembly-CSharp.dll) isn’t altered • Needs to be done from Assembly-UnityScript.dll, or v.v. • Make sure your native code (libunity.so / libmono.so / etc) isn’t altered 18
4 Apr 2013 Page Check the APK signature (Java) 19 // Retrieve the PackageManager and packageName (i.e. 'com.Company.Product') Activity activity = com.unity3d.player.UnityPlayer.currentActivity; PackageManager manager = activity.getPackageManager(); String name = activity.getPackageName(); // Fetch APK signature(s) PackageInfo packageInfo = manager.getPackageInfo(name, PackageManager.GET_SIGNATURES); Signature[] signatures = packageInfo.signatures; // Process signatures (i.e. check their validity) for (Signature signature : signatures) {     Log.i("signature", signature.toCharsString());     Log.i("signature hash", Integer.toHexString(signature.hashCode())); }
4 Apr 2013 Page Check the APK signature (UnityScript) 20 // Retrieve the PackageManager and packageName (i.e. 'com.Company.Product') var unity = new AndroidJavaClass("com.unity3d.player.UnityPlayer"); var activity = unity.GetStatic.<AndroidJavaObject>("currentActivity"); var manager = activity.Call.<AndroidJavaObject>("getPackageManager"); var name = activity.Call.<String>("getPackageName"); // Fetch APK signature(s) var GET_SIGNATURES = 64;    // PackageManager.GET_SIGNATURES var packageInfo = manager.Call.<AndroidJavaObject>("getPackageInfo", name, GET_SIGNATURES); var signatures = packageInfo.Get.<AndroidJavaObject[]>("signatures"); // Process signatures (i.e. check their validity) for (var i = 0; i < signatures.length; ++i) {     Debug.Log("signature = " + signatures[i].Call.<String>("toCharsString"));     Debug.Log("signature hash = " + signatures[i].Call.<int>("hashCode").ToString("X")); }
4 Apr 2013 Page Detect changes to ‘classes.dex’ (C#) 21 // Unity's WWW class supports reading 'jar:{archive-url}!/{entry}' on Android string urlScheme = "jar:file://"; string apkPath = Application.dataPath; string separator = "!/"; string entry = "classes.dex"; string url = urlScheme + apkPath + separator + entry; // Read classes.dex inside package.apk WWW www = new WWW(url); yield return www; // Calculate the MD5 sum of classes.dex contents MD5 md5 = new MD5CryptoServiceProvider(); byte[] hash = md5.ComputeHash(www.bytes); // Print MD5 sum System.Text.StringBuilder sb = new System.Text.StringBuilder(); for (int i = 0; i < hash.Length; i++)     sb.Append(hash[i].ToString("x2")); Debug.Log("md5sum(classes.dex) = " + sb.ToString());
4 Apr 2013 Page Native libs check (UnityScript) 22 // Retrieve main Activity var unity = new AndroidJavaClass("com.unity3d.player.UnityPlayer"); var activity = unity.GetStatic.<AndroidJavaObject>("currentActivity"); // Retrieve ApplicationInfo and nativeLibraryDir (N.B. API-9 or newer only!) var info = activity.Call.<AndroidJavaObject>("getApplicationInfo"); var nativeLibraryDir = info.Get.<String>("nativeLibraryDir"); var unityPath = Path.Combine(nativeLibraryDir, "libunity.so"); var file = new FileStream(unityPath, FileMode.Open, FileAccess.Read); var sha1 = new SHA1CryptoServiceProvider(); var hash = sha1.ComputeHash(file); file.Close(); // Print SHA1 sum var sb = new System.Text.StringBuilder(); for (var i = 0; i < hash.Length; i++)     sb.Append(hash[i].ToString("x2")); Debug.Log("sha1sum(libunity.so) = " + sb.ToString());
4 Apr 2013 Page Code Obfuscation 23
4 Apr 2013 Page Code Obfuscation • Java Obfuscation • Proguard • C# Obfuscation • Obfuscar • Hides method/variable names • but still very much readable code • False sense of security 24
4 Apr 2013 Page Java Obfuscation (before) 25 private void playVideo() {     doCleanUp();     try     {         mMediaPlayer = new MediaPlayer();         if (mIsURL)         {             mMediaPlayer.setDataSource(mContext, Uri.parse(mFileName));         }         else if (mVideoLength != 0)         {             FileInputStream file = new FileInputStream(mFileName);             mMediaPlayer.setDataSource(file.getFD(), mVideoOffset, mVideoLength);             file.close();         }         else         { (...)
4 Apr 2013 Page Java Obfuscation (after) 26 private void a() {     b();     try     {         this.r = new MediaPlayer();         if (this.h)         {             this.r.setDataSource(this.b, Uri.parse(this.e));         }         else         {             if (this.j != 0L)             {                 Object localObject = new FileInputStream(this.e);                 this.r.setDataSource(((FileInputStream)localObject).getFD(), this.i, this.j);                 ((FileInputStream)localObject).close();             }             else             { (...)
4 Apr 2013 Page Encryption 27
4 Apr 2013 Page Encryption of PlayerPrefs • Why? • Prevent simple cheating • Prevent cracking IAB purchases (if you cache anything locally) • In general good practice for sensitive data (like game progression) • How? • Encrypt key/values before inserting them in the PlayerPrefs • Use a user-specific encryption, so prefs cannot be copied, but still shared in a cloud 28
4 Apr 2013 Page SetString(key, value, secret) 29 // Hide 'key' string string key_string = MD5(key); // Convert 'value' into a byte array byte[] bytes = UTF8Encoding.UTF8.GetBytes(value); // Encrypt 'value' with 3DES('secret') TripleDES des = new TripleDESCryptoServiceProvider(); des.Key = secret; des.Mode = CipherMode.ECB; ICryptoTransform xform = des.CreateEncryptor(); byte[] encrypted = xform.TransformFinalBlock(bytes, 0, bytes.Length); // Convert encrypted array into a "readable" string string encrypted_string = Convert.ToBase64String(encrypted, 0, encrypted.Length); // Set the { key, encrypted value } pair in regular PlayerPrefs PlayerPrefs.SetString(key_string, encrypted_string);
4 Apr 2013 Page value GetString(key, secret) 30 // Hide 'key' string string key_string = MD5(key); // Retrieve encrypted 'value' and Base64 decode it string value = PlayerPrefs.GetString(key_string); byte[] bytes = Convert.FromBase64String(value); // Decrypt 'value' with 3DES('secret') TripleDES des = new TripleDESCryptoServiceProvider(); des.Key = secret; des.Mode = CipherMode.ECB; ICryptoTransform xform = des.CreateDecryptor(); byte[] decrypted = xform.TransformFinalBlock(bytes, 0, bytes.Length); // Return decrypted value as a proper string return UTF8Encoding.UTF8.GetString(decrypted);
4 Apr 2013 Page Encrypted SetString() / GetString() 31 // Generate a secret based on 'username' string username = "Turrican II"; MD5 md5 = new MD5CryptoServiceProvider(); byte[] secret = md5.ComputeHash(UTF8Encoding.UTF8.GetBytes(username)); // Game progress { key, value } pair string key = "unlocked levels"; string value = "the desert rocks,traps,secret dungeons,the wall,the final challenge,the final fight"; // Insert { key, value } pair SetString(key, value, secret); // Retrieve { key, value } string ret = GetString(key, secret); // Output to the logcat Debug.Log("secret = " + username); Debug.Log(key + " = " + ret);
4 Apr 2013 Page Encryption of Scripts • Why? • Scripts are generally insecure • Gameplay could be altered • Security checks could be disabled • Code needs to be “hidden” for some reason (i.e. IAB logic) 32
4 Apr 2013 Page Encryption of Scripts • How? • Compile scripts outside Unity • Run a symmetric / asymmetric encryption on the Script.dll • Choose a delivery mechanism • Embed in the application, or • Download it from a trusted server • Decrypt the Script.dll in memory • Load it through Assembly.Load(byte[]) 33
4 Apr 2013 Page Compile scripts outside Unity • Download Mono (www.mono-project.com) • Compile the script (Plugin.cs) with ‘gmcs’ • Reference the UnityEngine.dll assembly to access to Unity 34 $ gmcs -target:library -out:Script.dll -r:AndroidPlayer/Managed/UnityEngine.dll Plugin.cs
4 Apr 2013 Page Encrypt the assembly • Using OpenSSL • Converted to ‘text’ using Base64 encoding • Result can be embedded in Unity as a TextAsset 35 $ openssl rc2 -nosalt -p -in Script.dll -out Encrypted.bin key=... iv =... $ base64 Encrypted.bin > ~/UnityProject/Assets/Encrypted.txt
4 Apr 2013 Page Plugin.cs 36 using UnityEngine; public class SomeImportantGameClass {     static SomeImportantGameClass()     {         const int GET_SIGNATURES = 64;         AndroidJavaObject activity = new AndroidJavaClass("com.unity3d.player.UnityPlayer") .GetStatic<AndroidJavaObject>("currentActivity");         AndroidJavaObject manager = activity.Call<AndroidJavaObject>("getPackageManager");         string packageName = activity.Call<string>("getPackageName");         AndroidJavaObject packageInfo =                 manager.Call<AndroidJavaObject>("getPackageInfo", packageName, GET_SIGNATURES);         AndroidJavaObject[] signatures = packageInfo.Get<AndroidJavaObject[]>("signatures");         foreach (AndroidJavaObject signature in signatures)         {             Debug.Log("signature hash = " + signature.Call<int>("hashCode").ToString("X"));         }     } (...) }
4 Apr 2013 Page Decrypt and run assembly 37 public TextAsset assembly; void Start () {     // Load encrypted data and decryption keys     byte[] bytes = Convert.FromBase64String(assembly.text);     byte[] key = new byte[] { <key from encryption step> };     byte[] iv = new byte[] { <iv from encryption step> };     // Decrypt assembly     RC2 rc2 = new RC2CryptoServiceProvider();     rc2.Mode = CipherMode.CBC;     ICryptoTransform xform = rc2.CreateDecryptor(key, iv);     byte[] decrypted = xform.TransformFinalBlock(bytes, 0, bytes.Length);     // Load assembly and instantiate 'SomeImportantGameClass' to trigger static constructor     Assembly asm = Assembly.Load(decrypted);     Type SomeClass = asm.GetType("SomeImportantGameClass");     SomeClass.GetConstructor(Type.EmptyTypes).Invoke(null); }
4 Apr 2013 Page Encryption of Assets • Why? • Some assets might need to be protected from tampering. • “Assets” doesn’t necessarily mean just “textures”; could be • Game logic • Dalvik bytecode • Script code • Native code • .. “anything” 38
4 Apr 2013 Page Encryption of Assets • How? • Create an AssetBundle from the “secret” assets. • Run a symmetric / asymmetric encryption on the AssetBundle.unity3d • Choose a delivery mechanism • Embed in the application, or • Download it from a trusted server • Decrypt the AssetBundle.unity3d in memory • Load it through AssetBundle.CreateFromMemory(Byte[]) 39
4 Apr 2013 Page Conclusion • Be imaginative • APK integrity checks are so simple everyone should have them. • Sensitive code must be protected • Combine the different approaches, and create new ones • Finally: Don’t spend too much time on this • Instead update the logic for each new release. 40
4 Apr 2013 Page Questions? 41
4 Apr 2013 Page Thanks! 42 Twitter: @_eriq_

Recommended

장용석, fmod를이용한사운드프로그래밍, NDC2010
장용석, fmod를이용한사운드프로그래밍, NDC2010장용석, fmod를이용한사운드프로그래밍, NDC2010
장용석, fmod를이용한사운드프로그래밍, NDC2010devCAT Studio, NEXON
 
자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012
자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012
자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012Esun Kim
 
배틀쉘터 기획서 [완성본].pptx
배틀쉘터 기획서 [완성본].pptx배틀쉘터 기획서 [완성본].pptx
배틀쉘터 기획서 [완성본].pptxHeulyeon357
 
프로그래머가 되고 싶으세요
프로그래머가 되고 싶으세요프로그래머가 되고 싶으세요
프로그래머가 되고 싶으세요Chris Ohk
 
[RLKorea] <하스스톤> 강화학습 환경 개발기
[RLKorea] <하스스톤> 강화학습 환경 개발기[RLKorea] <하스스톤> 강화학습 환경 개발기
[RLKorea] <하스스톤> 강화학습 환경 개발기Chris Ohk
 
게임 기획 튜토리얼 (2015 개정판)
게임 기획 튜토리얼 (2015 개정판)게임 기획 튜토리얼 (2015 개정판)
게임 기획 튜토리얼 (2015 개정판)Lee Sangkyoon (Kay)
 
Game qa
Game qaGame qa
Game qa원철 정
 
[0122 구경원]게임에서의 충돌처리
[0122 구경원]게임에서의 충돌처리[0122 구경원]게임에서의 충돌처리
[0122 구경원]게임에서의 충돌처리KyeongWon Koo
 

Recommended

장용석, fmod를이용한사운드프로그래밍, NDC2010
장용석, fmod를이용한사운드프로그래밍, NDC2010장용석, fmod를이용한사운드프로그래밍, NDC2010
장용석, fmod를이용한사운드프로그래밍, NDC2010devCAT Studio, NEXON
 
자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012
자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012
자동화된 소스 분석, 처리, 검증을 통한 소스의 불필요한 #if - #endif 제거하기 NDC2012Esun Kim
 
배틀쉘터 기획서 [완성본].pptx
배틀쉘터 기획서 [완성본].pptx배틀쉘터 기획서 [완성본].pptx
배틀쉘터 기획서 [완성본].pptxHeulyeon357
 
프로그래머가 되고 싶으세요
프로그래머가 되고 싶으세요프로그래머가 되고 싶으세요
프로그래머가 되고 싶으세요Chris Ohk
 
[RLKorea] <하스스톤> 강화학습 환경 개발기
[RLKorea] <하스스톤> 강화학습 환경 개발기[RLKorea] <하스스톤> 강화학습 환경 개발기
[RLKorea] <하스스톤> 강화학습 환경 개발기Chris Ohk
 
게임 기획 튜토리얼 (2015 개정판)
게임 기획 튜토리얼 (2015 개정판)게임 기획 튜토리얼 (2015 개정판)
게임 기획 튜토리얼 (2015 개정판)Lee Sangkyoon (Kay)
 
Game qa
Game qaGame qa
Game qa원철 정
 
[0122 구경원]게임에서의 충돌처리
[0122 구경원]게임에서의 충돌처리[0122 구경원]게임에서의 충돌처리
[0122 구경원]게임에서의 충돌처리KyeongWon Koo
 
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기Chris Ohk
 
도트클리커 게임만들기
도트클리커 게임만들기도트클리커 게임만들기
도트클리커 게임만들기Yunjeong Kim
 
게임제작개론: #1 게임 구성 요소의 이해
게임제작개론: #1 게임 구성 요소의 이해게임제작개론: #1 게임 구성 요소의 이해
게임제작개론: #1 게임 구성 요소의 이해Seungmo Koo
 
[132] rust
[132] rust[132] rust
[132] rustNAVER D2
 
어서와 게임기획은 처음이지?
어서와 게임기획은 처음이지?어서와 게임기획은 처음이지?
어서와 게임기획은 처음이지?Lee Sangkyoon (Kay)
 
청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기Chris Ohk
 
C# string concatenations in unity (Updated 2014/7/11)
C# string concatenations in unity (Updated 2014/7/11)C# string concatenations in unity (Updated 2014/7/11)
C# string concatenations in unity (Updated 2014/7/11)Sindharta Tanuwijaya
 
기획자의 포트폴리오는 어떻게 써야 할까
기획자의 포트폴리오는 어떻게 써야 할까기획자의 포트폴리오는 어떻게 써야 할까
기획자의 포트폴리오는 어떻게 써야 할까Han Je Sung
 
Course Presentation: Games design
Course Presentation: Games designCourse Presentation: Games design
Course Presentation: Games designBrunel University
 
서버와 클라이언트 같은 엔진 사용하기
서버와 클라이언트 같은 엔진 사용하기서버와 클라이언트 같은 엔진 사용하기
서버와 클라이언트 같은 엔진 사용하기YEONG-CHEON YOU
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
Game Design as Career
Game Design as CareerGame Design as Career
Game Design as CareerArtfulArtsyAmy
 
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019devCAT Studio, NEXON
 
Python 게임서버 안녕하십니까 : RPC framework 편
Python 게임서버 안녕하십니까 : RPC framework 편Python 게임서버 안녕하십니까 : RPC framework 편
Python 게임서버 안녕하십니까 : RPC framework 편준철 박
 
1인개발자가되기전알아야할것들
1인개발자가되기전알아야할것들1인개발자가되기전알아야할것들
1인개발자가되기전알아야할것들Jinsub Jung
 
[데브루키] 이벤트 드리븐 아키텍쳐
[데브루키] 이벤트 드리븐 아키텍쳐[데브루키] 이벤트 드리븐 아키텍쳐
[데브루키] 이벤트 드리븐 아키텍쳐MinGeun Park
 
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들Chris Ohk
 
개발단계 Fun qa
개발단계 Fun qa개발단계 Fun qa
개발단계 Fun qa원철 정
 
임태현, MMO 서버 개발 포스트 모템, NDC2012
임태현, MMO 서버 개발 포스트 모템, NDC2012임태현, MMO 서버 개발 포스트 모템, NDC2012
임태현, MMO 서버 개발 포스트 모템, NDC2012devCAT Studio, NEXON
 
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)valhashi
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 

More Related Content

What's hot

선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기Chris Ohk
 
도트클리커 게임만들기
도트클리커 게임만들기도트클리커 게임만들기
도트클리커 게임만들기Yunjeong Kim
 
게임제작개론: #1 게임 구성 요소의 이해
게임제작개론: #1 게임 구성 요소의 이해게임제작개론: #1 게임 구성 요소의 이해
게임제작개론: #1 게임 구성 요소의 이해Seungmo Koo
 
[132] rust
[132] rust[132] rust
[132] rustNAVER D2
 
어서와 게임기획은 처음이지?
어서와 게임기획은 처음이지?어서와 게임기획은 처음이지?
어서와 게임기획은 처음이지?Lee Sangkyoon (Kay)
 
청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기Chris Ohk
 
C# string concatenations in unity (Updated 2014/7/11)
C# string concatenations in unity (Updated 2014/7/11)C# string concatenations in unity (Updated 2014/7/11)
C# string concatenations in unity (Updated 2014/7/11)Sindharta Tanuwijaya
 
기획자의 포트폴리오는 어떻게 써야 할까
기획자의 포트폴리오는 어떻게 써야 할까기획자의 포트폴리오는 어떻게 써야 할까
기획자의 포트폴리오는 어떻게 써야 할까Han Je Sung
 
Course Presentation: Games design
Course Presentation: Games designCourse Presentation: Games design
Course Presentation: Games designBrunel University
 
서버와 클라이언트 같은 엔진 사용하기
서버와 클라이언트 같은 엔진 사용하기서버와 클라이언트 같은 엔진 사용하기
서버와 클라이언트 같은 엔진 사용하기YEONG-CHEON YOU
 
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019devCAT Studio, NEXON
 
Python 게임서버 안녕하십니까 : RPC framework 편
Python 게임서버 안녕하십니까 : RPC framework 편Python 게임서버 안녕하십니까 : RPC framework 편
Python 게임서버 안녕하십니까 : RPC framework 편준철 박
 
1인개발자가되기전알아야할것들
1인개발자가되기전알아야할것들1인개발자가되기전알아야할것들
1인개발자가되기전알아야할것들Jinsub Jung
 
[데브루키] 이벤트 드리븐 아키텍쳐
[데브루키] 이벤트 드리븐 아키텍쳐[데브루키] 이벤트 드리븐 아키텍쳐
[데브루키] 이벤트 드리븐 아키텍쳐MinGeun Park
 
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들Chris Ohk
 
개발단계 Fun qa
개발단계 Fun qa개발단계 Fun qa
개발단계 Fun qa원철 정
 
임태현, MMO 서버 개발 포스트 모템, NDC2012
임태현, MMO 서버 개발 포스트 모템, NDC2012임태현, MMO 서버 개발 포스트 모템, NDC2012
임태현, MMO 서버 개발 포스트 모템, NDC2012devCAT Studio, NEXON
 
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)valhashi
 

What's hot (20)

선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
선린인터넷고등학교 2021 알고리즘 컨퍼런스 - Rust로 알고리즘 문제 풀어보기
 
도트클리커 게임만들기
도트클리커 게임만들기도트클리커 게임만들기
도트클리커 게임만들기
 
게임제작개론: #1 게임 구성 요소의 이해
게임제작개론: #1 게임 구성 요소의 이해게임제작개론: #1 게임 구성 요소의 이해
게임제작개론: #1 게임 구성 요소의 이해
 
[132] rust
[132] rust[132] rust
[132] rust
 
어서와 게임기획은 처음이지?
어서와 게임기획은 처음이지?어서와 게임기획은 처음이지?
어서와 게임기획은 처음이지?
 
청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기
 
C# string concatenations in unity (Updated 2014/7/11)
C# string concatenations in unity (Updated 2014/7/11)C# string concatenations in unity (Updated 2014/7/11)
C# string concatenations in unity (Updated 2014/7/11)
 
기획자의 포트폴리오는 어떻게 써야 할까
기획자의 포트폴리오는 어떻게 써야 할까기획자의 포트폴리오는 어떻게 써야 할까
기획자의 포트폴리오는 어떻게 써야 할까
 
Course Presentation: Games design
Course Presentation: Games designCourse Presentation: Games design
Course Presentation: Games design
 
서버와 클라이언트 같은 엔진 사용하기
서버와 클라이언트 같은 엔진 사용하기서버와 클라이언트 같은 엔진 사용하기
서버와 클라이언트 같은 엔진 사용하기
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
 
Game Design as Career
Game Design as CareerGame Design as Career
Game Design as Career
 
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
이무림, Enum의 Boxing을 어찌할꼬? 편리하고 성능좋게 Enum 사용하기, NDC2019
 
Python 게임서버 안녕하십니까 : RPC framework 편
Python 게임서버 안녕하십니까 : RPC framework 편Python 게임서버 안녕하십니까 : RPC framework 편
Python 게임서버 안녕하십니까 : RPC framework 편
 
1인개발자가되기전알아야할것들
1인개발자가되기전알아야할것들1인개발자가되기전알아야할것들
1인개발자가되기전알아야할것들
 
[데브루키] 이벤트 드리븐 아키텍쳐
[데브루키] 이벤트 드리븐 아키텍쳐[데브루키] 이벤트 드리븐 아키텍쳐
[데브루키] 이벤트 드리븐 아키텍쳐
 
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
고려대학교 컴퓨터학과 특강 - 대학생 때 알았더라면 좋았을 것들
 
개발단계 Fun qa
개발단계 Fun qa개발단계 Fun qa
개발단계 Fun qa
 
임태현, MMO 서버 개발 포스트 모템, NDC2012
임태현, MMO 서버 개발 포스트 모템, NDC2012임태현, MMO 서버 개발 포스트 모템, NDC2012
임태현, MMO 서버 개발 포스트 모템, NDC2012
 
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
TA가 뭐예요? (What is a Technical Artist? 블루홀스튜디오)
 

Similar to [UniteKorea2013] Protecting your Android content

OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzerSanjay Gondaliya
 
Android Scripting
Android ScriptingAndroid Scripting
Android ScriptingJuan Gomez
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in schoolMichael Galpin
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Elif Boncuk
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Building Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And TricksBuilding Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And TricksMike Hugo
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 

Similar to [UniteKorea2013] Protecting your Android content (20)

OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
Android application analyzer
Android application analyzerAndroid application analyzer
Android application analyzer
 
Fastlane
FastlaneFastlane
Fastlane
 
Android Scripting
Android ScriptingAndroid Scripting
Android Scripting
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_android
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Overview of DroidCon UK 2015
Overview of DroidCon UK 2015 Overview of DroidCon UK 2015
Overview of DroidCon UK 2015
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Building Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And TricksBuilding Grails Plugins - Tips And Tricks
Building Grails Plugins - Tips And Tricks
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 

More from William Hugo Yang

[UniteKorea2013] Serialization in Depth
[UniteKorea2013] Serialization in Depth[UniteKorea2013] Serialization in Depth
[UniteKorea2013] Serialization in DepthWilliam Hugo Yang
 
[UniteKorea2013] Memory profiling in Unity
[UniteKorea2013] Memory profiling in Unity[UniteKorea2013] Memory profiling in Unity
[UniteKorea2013] Memory profiling in UnityWilliam Hugo Yang
 
[UniteKorea2013] Unity Hacks
[UniteKorea2013] Unity Hacks[UniteKorea2013] Unity Hacks
[UniteKorea2013] Unity HacksWilliam Hugo Yang
 
[UniteKorea2013] Butterfly Effect DX11
[UniteKorea2013] Butterfly Effect DX11[UniteKorea2013] Butterfly Effect DX11
[UniteKorea2013] Butterfly Effect DX11William Hugo Yang
 
[UniteKorea2013] The Unity Rendering Pipeline
[UniteKorea2013] The Unity Rendering Pipeline[UniteKorea2013] The Unity Rendering Pipeline
[UniteKorea2013] The Unity Rendering PipelineWilliam Hugo Yang
 
[UniteKorea2013] Art tips and tricks
[UniteKorea2013] Art tips and tricks[UniteKorea2013] Art tips and tricks
[UniteKorea2013] Art tips and tricksWilliam Hugo Yang
 
[UniteKorea2013] 2D content workflows
[UniteKorea2013] 2D content workflows[UniteKorea2013] 2D content workflows
[UniteKorea2013] 2D content workflowsWilliam Hugo Yang
 

More from William Hugo Yang (7)

[UniteKorea2013] Serialization in Depth
[UniteKorea2013] Serialization in Depth[UniteKorea2013] Serialization in Depth
[UniteKorea2013] Serialization in Depth
 
[UniteKorea2013] Memory profiling in Unity
[UniteKorea2013] Memory profiling in Unity[UniteKorea2013] Memory profiling in Unity
[UniteKorea2013] Memory profiling in Unity
 
[UniteKorea2013] Unity Hacks
[UniteKorea2013] Unity Hacks[UniteKorea2013] Unity Hacks
[UniteKorea2013] Unity Hacks
 
[UniteKorea2013] Butterfly Effect DX11
[UniteKorea2013] Butterfly Effect DX11[UniteKorea2013] Butterfly Effect DX11
[UniteKorea2013] Butterfly Effect DX11
 
[UniteKorea2013] The Unity Rendering Pipeline
[UniteKorea2013] The Unity Rendering Pipeline[UniteKorea2013] The Unity Rendering Pipeline
[UniteKorea2013] The Unity Rendering Pipeline
 
[UniteKorea2013] Art tips and tricks
[UniteKorea2013] Art tips and tricks[UniteKorea2013] Art tips and tricks
[UniteKorea2013] Art tips and tricks
 
[UniteKorea2013] 2D content workflows
[UniteKorea2013] 2D content workflows[UniteKorea2013] 2D content workflows
[UniteKorea2013] 2D content workflows
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 

Recently uploaded (20)

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 

[UniteKorea2013] Protecting your Android content

  • 1. Protecting your Android content Erik Hemming Unity Technologies Mobile Mechanic & Lead Android Developer
  • 2. 4 Apr 2013 Page About me • Developer at Unity / Sweden • 3 years of Unity for Android • Used to make games • Battlefield series • Focus on mobiles and consoles • Android / PSM / VITA & PS4 2
  • 3. 4 Apr 2013 Page Agenda • Unity on Android - what does it mean? • Authentication with Google Play Licensing • Application tampering detection • Code Obfuscation • Encryption of • PlayerPrefs • Scripts • Assets • Conclusion / Q&A 3
  • 4. 4 Apr 2013 Page Unity on Android 4
  • 5. 4 Apr 2013 Page Unity on Android (overview) 5 Linux Kernel Android / Dalvik VM Unity on Android Mono VM User script / “Game” OS App
  • 6. 4 Apr 2013 Page Unity on Android (detail) 6 C# / Scripts Dalvik (Java)
  • 7. 4 Apr 2013 Page Unity on Android (detail) 7 AndroidJavaObject java.lang.Object
  • 8. 4 Apr 2013 Page AndroidJavaObject et al • Script objects wrap Java objects • AndroidJavaObject → java.lang.Object • AndroidJavaClass → java.lang.Class • AndroidJavaRunnable → java.lang.Runnable • AndroidJavaProxy → java.lang.reflect.Proxy (in Unity 4.2) • Automatically maps / instantiates Classes by name • Methods / Fields are handled through reflection lookups 8
  • 9. 4 Apr 2013 Page 9 java.lang.String str = new java.lang.String("some string"); int hash = str.hashCode(); AndroidJavaObject jo =         new AndroidJavaObject("java.lang.String", "some string"); int hash = jo.Call<int>("hashCode"); Java C# AndroidJavaObject (example)
  • 10. 4 Apr 2013 Page Authentication with Google Play Licensing 10
  • 11. 4 Apr 2013 Page Authentication with Google Play Licensing • Provided by Google • Only available for applications published on Play Store • Online verification of purchase records • If the device is offline the verification will “fail” • Example code (LVL) provided by Google • Don’t use as-is - very easy to find and hack 11
  • 12. 4 Apr 2013 Page Verification Flow • Application → {random number} → Google • Google → {message, signature} → Application • message = purchase status + random number + timestamp + (..) • signature = RSA(message, private key) • Verify that RSA(signature, public key) is a match for ‘message’ 12
  • 13. 4 Apr 2013 Page How to handle the offline case • “Online check” == “Internet access” • Don’t require constant internet access • that would ruin the game experience while flying / roaming / etc. • Instead do the checks only if network is available • allow the app be used a week (or so) without being verified • trust the app/user during that time. • If your app has game elements that require internet connection, make sure you also do a license check at that point. 13
  • 14. 4 Apr 2013 Page Server Side Verification • Application → {some number / data request} → Google • Google → {message, signature} → Application • Application → {message, signature} → Server • Server → {application data} → Application • Server only fulfill Client requests that have correct ‘signature’ 14
  • 15. 4 Apr 2013 Page Unity Plugin : Google Play License Verification • Written in C# • Except for the small Service Binder (Java) - loaded dynamically • Easy to embed / hide anywhere in your project • Available on the Unity Asset Store • Ready to be included into an existing project • Original project hosted on GitHub • Feel free to fork and improve 15
  • 16. 4 Apr 2013 Page Application tampering detection 16
  • 17. 4 Apr 2013 Page Application tampering detection • Why? • A hacker would have to remove and/or alter licensing checks • and thus change the code in your application • Also possible to change code to gain in-game advantages • Like changing the physics so that a car drives faster • In general a very easy way to determine if you’ve been hacked 17
  • 18. 4 Apr 2013 Page Application tampering detection • Make sure the application is signed with your key • Make sure the Java code (classes.dex) isn’t altered • Make sure the Mono class library (mscorlib.dll) isn’t altered • if the License check is done in C# we will rely on it • Make sure your script code (Assembly-CSharp.dll) isn’t altered • Needs to be done from Assembly-UnityScript.dll, or v.v. • Make sure your native code (libunity.so / libmono.so / etc) isn’t altered 18
  • 19. 4 Apr 2013 Page Check the APK signature (Java) 19 // Retrieve the PackageManager and packageName (i.e. 'com.Company.Product') Activity activity = com.unity3d.player.UnityPlayer.currentActivity; PackageManager manager = activity.getPackageManager(); String name = activity.getPackageName(); // Fetch APK signature(s) PackageInfo packageInfo = manager.getPackageInfo(name, PackageManager.GET_SIGNATURES); Signature[] signatures = packageInfo.signatures; // Process signatures (i.e. check their validity) for (Signature signature : signatures) {     Log.i("signature", signature.toCharsString());     Log.i("signature hash", Integer.toHexString(signature.hashCode())); }
  • 20. 4 Apr 2013 Page Check the APK signature (UnityScript) 20 // Retrieve the PackageManager and packageName (i.e. 'com.Company.Product') var unity = new AndroidJavaClass("com.unity3d.player.UnityPlayer"); var activity = unity.GetStatic.<AndroidJavaObject>("currentActivity"); var manager = activity.Call.<AndroidJavaObject>("getPackageManager"); var name = activity.Call.<String>("getPackageName"); // Fetch APK signature(s) var GET_SIGNATURES = 64;    // PackageManager.GET_SIGNATURES var packageInfo = manager.Call.<AndroidJavaObject>("getPackageInfo", name, GET_SIGNATURES); var signatures = packageInfo.Get.<AndroidJavaObject[]>("signatures"); // Process signatures (i.e. check their validity) for (var i = 0; i < signatures.length; ++i) {     Debug.Log("signature = " + signatures[i].Call.<String>("toCharsString"));     Debug.Log("signature hash = " + signatures[i].Call.<int>("hashCode").ToString("X")); }
  • 21. 4 Apr 2013 Page Detect changes to ‘classes.dex’ (C#) 21 // Unity's WWW class supports reading 'jar:{archive-url}!/{entry}' on Android string urlScheme = "jar:file://"; string apkPath = Application.dataPath; string separator = "!/"; string entry = "classes.dex"; string url = urlScheme + apkPath + separator + entry; // Read classes.dex inside package.apk WWW www = new WWW(url); yield return www; // Calculate the MD5 sum of classes.dex contents MD5 md5 = new MD5CryptoServiceProvider(); byte[] hash = md5.ComputeHash(www.bytes); // Print MD5 sum System.Text.StringBuilder sb = new System.Text.StringBuilder(); for (int i = 0; i < hash.Length; i++)     sb.Append(hash[i].ToString("x2")); Debug.Log("md5sum(classes.dex) = " + sb.ToString());
  • 22. 4 Apr 2013 Page Native libs check (UnityScript) 22 // Retrieve main Activity var unity = new AndroidJavaClass("com.unity3d.player.UnityPlayer"); var activity = unity.GetStatic.<AndroidJavaObject>("currentActivity"); // Retrieve ApplicationInfo and nativeLibraryDir (N.B. API-9 or newer only!) var info = activity.Call.<AndroidJavaObject>("getApplicationInfo"); var nativeLibraryDir = info.Get.<String>("nativeLibraryDir"); var unityPath = Path.Combine(nativeLibraryDir, "libunity.so"); var file = new FileStream(unityPath, FileMode.Open, FileAccess.Read); var sha1 = new SHA1CryptoServiceProvider(); var hash = sha1.ComputeHash(file); file.Close(); // Print SHA1 sum var sb = new System.Text.StringBuilder(); for (var i = 0; i < hash.Length; i++)     sb.Append(hash[i].ToString("x2")); Debug.Log("sha1sum(libunity.so) = " + sb.ToString());
  • 23. 4 Apr 2013 Page Code Obfuscation 23
  • 24. 4 Apr 2013 Page Code Obfuscation • Java Obfuscation • Proguard • C# Obfuscation • Obfuscar • Hides method/variable names • but still very much readable code • False sense of security 24
  • 25. 4 Apr 2013 Page Java Obfuscation (before) 25 private void playVideo() {     doCleanUp();     try     {         mMediaPlayer = new MediaPlayer();         if (mIsURL)         {             mMediaPlayer.setDataSource(mContext, Uri.parse(mFileName));         }         else if (mVideoLength != 0)         {             FileInputStream file = new FileInputStream(mFileName);             mMediaPlayer.setDataSource(file.getFD(), mVideoOffset, mVideoLength);             file.close();         }         else         { (...)
  • 26. 4 Apr 2013 Page Java Obfuscation (after) 26 private void a() {     b();     try     {         this.r = new MediaPlayer();         if (this.h)         {             this.r.setDataSource(this.b, Uri.parse(this.e));         }         else         {             if (this.j != 0L)             {                 Object localObject = new FileInputStream(this.e);                 this.r.setDataSource(((FileInputStream)localObject).getFD(), this.i, this.j);                 ((FileInputStream)localObject).close();             }             else             { (...)
  • 27. 4 Apr 2013 Page Encryption 27
  • 28. 4 Apr 2013 Page Encryption of PlayerPrefs • Why? • Prevent simple cheating • Prevent cracking IAB purchases (if you cache anything locally) • In general good practice for sensitive data (like game progression) • How? • Encrypt key/values before inserting them in the PlayerPrefs • Use a user-specific encryption, so prefs cannot be copied, but still shared in a cloud 28
  • 29. 4 Apr 2013 Page SetString(key, value, secret) 29 // Hide 'key' string string key_string = MD5(key); // Convert 'value' into a byte array byte[] bytes = UTF8Encoding.UTF8.GetBytes(value); // Encrypt 'value' with 3DES('secret') TripleDES des = new TripleDESCryptoServiceProvider(); des.Key = secret; des.Mode = CipherMode.ECB; ICryptoTransform xform = des.CreateEncryptor(); byte[] encrypted = xform.TransformFinalBlock(bytes, 0, bytes.Length); // Convert encrypted array into a "readable" string string encrypted_string = Convert.ToBase64String(encrypted, 0, encrypted.Length); // Set the { key, encrypted value } pair in regular PlayerPrefs PlayerPrefs.SetString(key_string, encrypted_string);
  • 30. 4 Apr 2013 Page value GetString(key, secret) 30 // Hide 'key' string string key_string = MD5(key); // Retrieve encrypted 'value' and Base64 decode it string value = PlayerPrefs.GetString(key_string); byte[] bytes = Convert.FromBase64String(value); // Decrypt 'value' with 3DES('secret') TripleDES des = new TripleDESCryptoServiceProvider(); des.Key = secret; des.Mode = CipherMode.ECB; ICryptoTransform xform = des.CreateDecryptor(); byte[] decrypted = xform.TransformFinalBlock(bytes, 0, bytes.Length); // Return decrypted value as a proper string return UTF8Encoding.UTF8.GetString(decrypted);
  • 31. 4 Apr 2013 Page Encrypted SetString() / GetString() 31 // Generate a secret based on 'username' string username = "Turrican II"; MD5 md5 = new MD5CryptoServiceProvider(); byte[] secret = md5.ComputeHash(UTF8Encoding.UTF8.GetBytes(username)); // Game progress { key, value } pair string key = "unlocked levels"; string value = "the desert rocks,traps,secret dungeons,the wall,the final challenge,the final fight"; // Insert { key, value } pair SetString(key, value, secret); // Retrieve { key, value } string ret = GetString(key, secret); // Output to the logcat Debug.Log("secret = " + username); Debug.Log(key + " = " + ret);
  • 32. 4 Apr 2013 Page Encryption of Scripts • Why? • Scripts are generally insecure • Gameplay could be altered • Security checks could be disabled • Code needs to be “hidden” for some reason (i.e. IAB logic) 32
  • 33. 4 Apr 2013 Page Encryption of Scripts • How? • Compile scripts outside Unity • Run a symmetric / asymmetric encryption on the Script.dll • Choose a delivery mechanism • Embed in the application, or • Download it from a trusted server • Decrypt the Script.dll in memory • Load it through Assembly.Load(byte[]) 33
  • 34. 4 Apr 2013 Page Compile scripts outside Unity • Download Mono (www.mono-project.com) • Compile the script (Plugin.cs) with ‘gmcs’ • Reference the UnityEngine.dll assembly to access to Unity 34 $ gmcs -target:library -out:Script.dll -r:AndroidPlayer/Managed/UnityEngine.dll Plugin.cs
  • 35. 4 Apr 2013 Page Encrypt the assembly • Using OpenSSL • Converted to ‘text’ using Base64 encoding • Result can be embedded in Unity as a TextAsset 35 $ openssl rc2 -nosalt -p -in Script.dll -out Encrypted.bin key=... iv =... $ base64 Encrypted.bin > ~/UnityProject/Assets/Encrypted.txt
  • 36. 4 Apr 2013 Page Plugin.cs 36 using UnityEngine; public class SomeImportantGameClass {     static SomeImportantGameClass()     {         const int GET_SIGNATURES = 64;         AndroidJavaObject activity = new AndroidJavaClass("com.unity3d.player.UnityPlayer") .GetStatic<AndroidJavaObject>("currentActivity");         AndroidJavaObject manager = activity.Call<AndroidJavaObject>("getPackageManager");         string packageName = activity.Call<string>("getPackageName");         AndroidJavaObject packageInfo =                 manager.Call<AndroidJavaObject>("getPackageInfo", packageName, GET_SIGNATURES);         AndroidJavaObject[] signatures = packageInfo.Get<AndroidJavaObject[]>("signatures");         foreach (AndroidJavaObject signature in signatures)         {             Debug.Log("signature hash = " + signature.Call<int>("hashCode").ToString("X"));         }     } (...) }
  • 37. 4 Apr 2013 Page Decrypt and run assembly 37 public TextAsset assembly; void Start () {     // Load encrypted data and decryption keys     byte[] bytes = Convert.FromBase64String(assembly.text);     byte[] key = new byte[] { <key from encryption step> };     byte[] iv = new byte[] { <iv from encryption step> };     // Decrypt assembly     RC2 rc2 = new RC2CryptoServiceProvider();     rc2.Mode = CipherMode.CBC;     ICryptoTransform xform = rc2.CreateDecryptor(key, iv);     byte[] decrypted = xform.TransformFinalBlock(bytes, 0, bytes.Length);     // Load assembly and instantiate 'SomeImportantGameClass' to trigger static constructor     Assembly asm = Assembly.Load(decrypted);     Type SomeClass = asm.GetType("SomeImportantGameClass");     SomeClass.GetConstructor(Type.EmptyTypes).Invoke(null); }
  • 38. 4 Apr 2013 Page Encryption of Assets • Why? • Some assets might need to be protected from tampering. • “Assets” doesn’t necessarily mean just “textures”; could be • Game logic • Dalvik bytecode • Script code • Native code • .. “anything” 38
  • 39. 4 Apr 2013 Page Encryption of Assets • How? • Create an AssetBundle from the “secret” assets. • Run a symmetric / asymmetric encryption on the AssetBundle.unity3d • Choose a delivery mechanism • Embed in the application, or • Download it from a trusted server • Decrypt the AssetBundle.unity3d in memory • Load it through AssetBundle.CreateFromMemory(Byte[]) 39
  • 40. 4 Apr 2013 Page Conclusion • Be imaginative • APK integrity checks are so simple everyone should have them. • Sensitive code must be protected • Combine the different approaches, and create new ones • Finally: Don’t spend too much time on this • Instead update the logic for each new release. 40
  • 41. 4 Apr 2013 Page Questions? 41
  • 42. 4 Apr 2013 Page Thanks! 42 Twitter: @_eriq_