User Tag List

Results 1 to 8 of 8

Thread: Is HTML5 secure once it goes live?

  1. #1
    Clicker Fusion 2.5 DeveloperFusion 2.5+ DLCAndroid Export ModuleHTML5 Export ModuleiOS Export ModuleSWF Export ModuleXNA Export ModuleUnicode Add-on
    mobichan's Avatar
    Join Date
    Oct 2007
    Location
    Buffalo, NY
    Posts
    3,283
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)

    Is HTML5 secure once it goes live?

    In the past, I had to site lock my swf files so people couldn't easily pirate any games I hosted on my website. Are there any glaring security issues that can occur with HTML5? I just want to know what kinds of measures I will need to take to ensure people can't just outright steal my content.

  2. #2
    Clicker Fusion 2.5 DeveloperFusion 2.5+ DLCAndroid Export ModuleHTML5 Export ModuleiOS Export ModuleUniversal Windows Platform Export ModuleSWF Export Module

    Join Date
    Dec 2008
    Location
    Italy
    Posts
    404
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Is there an official response from Clickteam on this? I'd be also interested to know if HTML5 games can be decompiled once published or not.

  3. #3
    Clickteam Clickteam

    Join Date
    Jun 2006
    Location
    France
    Posts
    13,297
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    faber I think mobichan's question is different from yours. I'm not a Html5 specialist so I can't answer his question (can you site lock html5 apps) but about your question, if you are talking about that decompiler, it's not adapted to HTML5 applications but it could be probably adapted. In the build 284 we started introducing incompatibilities between the CCN format and the MFA format though and we'll continue doing it in future builds. It's certainly still possible but less easy.

  4. #4
    Clickteam Clickteam
    Olivier's Avatar
    Join Date
    Jun 2006
    Posts
    3,000
    Mentioned
    9 Post(s)
    Tagged
    1 Thread(s)
    About sitelocking HTML5 games, the HTML5 object has expressions returning the current URL and host.

  5. #5
    Clicker Fusion 2.5 DeveloperFusion 2.5+ DLCAndroid Export ModuleHTML5 Export ModuleiOS Export ModuleUniversal Windows Platform Export ModuleSWF Export Module

    Join Date
    Dec 2008
    Location
    Italy
    Posts
    404
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Thank you Yves, it's clear.

  6. #6
    Clicker Fusion 2.5 DeveloperFusion 2.5+ DLCAndroid Export ModuleHTML5 Export ModuleiOS Export ModuleSWF Export ModuleXNA Export ModuleUnicode Add-on
    mobichan's Avatar
    Join Date
    Oct 2007
    Location
    Buffalo, NY
    Posts
    3,283
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the feedback. I was just curious if the files I upload are easily downloaded by anyone once on my webhost's server? Or if you can assume that anything on the webhost's server is basically locked? Withe a swf, since it is embedded in a page, you can just right click it or save the web address directly. But since the html5 app is a series of files run by a javascript file, I didn't know if it was possible to get the whole thing. I realize a hacker could probably do anything, but I am hoping it is limited to serious hackers (who probably don't care about my games). :P

  7. #7
    Clicker Fusion 2.5 MacFusion 2.5 DeveloperAndroid Export ModuleHTML5 Export ModuleiOS Export ModuleInstall Creator Pro

    Join Date
    Dec 2010
    Location
    United Kingdom
    Posts
    960
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would think that if someone was really determined to "steal" your creation, they could download (copy) the files required for the HTML5 app using web debugging tools and by watching GET requests.

    That said, if hackers got their mucky fingers on your work, they would only be able to redistribute it (except for assets) but not modify the game/app itself. Thankfully, the Runtime.js file (the heart of the creation) is heavily obscured and unreadable (when exported as a final project) and definitely cannot be reversed into a MFA again.

    Olivier's suggestion is great for locking it so it only runs on a URL. The exporter also creates a index.html file in both js/ and resources/ that prevents a nosy bugger from listing the directory (which would make it super easy to download files one by one) -- If you want to be more difficult, change these default directories.

    To prevent direct access to the files, take a look into creating a .htaccess file for your web server. I found these articles but haven't tried them myself:

    https://www.google.co.uk/#q=.htacces...irect+download
    For Apache: http://stackoverflow.com/questions/1...ect-url-access

  8. #8
    Clicker Fusion 2.5 DeveloperAndroid Export ModuleHTML5 Export ModuleiOS Export ModuleSWF Export Module
    DracisLooby's Avatar
    Join Date
    Jun 2008
    Location
    Washington, United States
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I will chime in with some info;

    First thing, if a resource is accessible on the internet through a browser, it can be downloaded, modified, and reuploaded, by whoever can access it, with readily available tools, most of them built into nearly every desktop web browser. If a resource gets used by a client, you can be sure it can be saved, and reproduced.

    More specifically, the HTML5 Runtime is written pretty much solely using web technology that is served 100% to the client when in use, this includes the runtime code, your apps specific fusion bytecode, and all its sounds/graphics. All of this is loaded up front, or on demand by the runtime.

    Unfortunately, its pretty much 100% impossible to stop anyone from copying and using a public internet resource, but we do take heavy steps to deter the behavior, and make it very difficult to do so in the HTML5 Runtime, and I will not say its not impossible, but its a bit above non-trivial to de-obfuscate the runtime.js code and understand it after its been 'compiled', however, the real challenging task would be going through and reverse engineering an apps fusion formatted bytecode by hand, since its not laid out in a datastructure, but read byte-by-byte in the html5 runtime. For the most part, the code behind your apps is fairly difficult to get from HTML5 apps, therefore 'safer' in a sense, but the graphics / sounds / runtime code are all readily available.

    Again, all that said, you must not trust that anything that anyone can access publicly from the internet cannot, or will not, be stolen, copied, and / or redistributed, its just part of the nature of the WWW.
    Really named Ben Otter, but oh well, eh?

Similar Threads

  1. Amazon in-app, secure consumables?
    By SoftWarewolf in forum Android Export Module 2.5
    Replies: 0
    Last Post: 26th July 2014, 09:19 PM
  2. Secure in-app purchases
    By SoftWarewolf in forum Android Export Module 2.5
    Replies: 13
    Last Post: 19th May 2014, 10:32 AM
  3. I'm looking for a secure way to connect the users
    By Nekorai in forum Multimedia Fusion 2 - Technical Support
    Replies: 0
    Last Post: 25th March 2013, 10:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •