Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

Reply
Developer
Posts: 669
Registered: ‎02-19-2011
My Device: BlackBerry PlayBook 32GB
My Carrier: Sprint

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

Hey Tim,

 

Yes my primary concern is theft of source code from any of us developers. Especially given the fact that it's been pointed out that the Test House doesn't do a lot more than sanity-checking right now it's all too easy for someone to steal our code and resubmit a slightly altered app to AppWorld. They can also take it and submit apps to other platforms which would then make the original author look like the copycat on those. Bad stuff!

 

WebWorks itself of course is an entirely different issue. 

 

I believe that a potential encryption mechanism doesn't have to be part of the OS sourcetree of WebWorks. It should ideally be some deeper OS level thing that nobody but the device itself and RIM can access.

Staff UI Prototyper (read: full-time hacker)


My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

Retired
Posts: 3,708
Registered: ‎10-16-2008
My Device: Z10
My Carrier: Rogers

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

There are a bunch of options around obfuscation/encryption that could be done with the full source for these techniques posted in the OSS project that are based on randomly generated shared secrets.

Are your requirements to have all text based assets "garbled"? How about image assets or other binary data?

We would want to make sure the mechanism is light weight enough to not severely impact performance. But any "garbling" mechanism will have an impact on app performance and memory requirements.

Perhaps it would be an option on bbwp?

Depending on the type of solution put in place, it will have export licensing impacts on if the SDK can be downloaded and used in different global regions. It would need to be a delicate balance between meeting the communities requirements but also not blocking access to different areas of the world.
Tim Neil
Director, Application Platform & Tools Product Management
Follow me on Twitter
Developer
Posts: 669
Registered: ‎02-19-2011
My Device: BlackBerry PlayBook 32GB
My Carrier: Sprint

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

[ Edited ]

Hi Tim,

 

I have some ideas about this. For one, I think no encryption should happen during packaging. The packaging can stay the way it is right now. What matters is what happens during the download from AppWorld and the lifecycle on the actual device. Therefore two things should happen:

 

1: The bars get encrypted but only once RIM has them. They would be encrypted on AppWorld, transferred to end-users in encrypted state.

2: The PlayBook would decrypt the bar file after downloading from AppWorld. This way there's a one-time wait after installing which isn't a big deal. Running the app will be the same as it's ever been.

3: The decrypted application files will NOT be part of any backup. The encrypted ones however can be. After a restore they can be decrypted again on the PlayBook hardware itself. Note that I honestly think the apps don't have to be part of any backup AT ALL because AppWorld knows what we've purchased so everything can be downloaded again after the user enters their BB ID and password.

 

Assuming people are not going to 'root' the PlayBook this would be pretty safe. If they do root it I suppose all is lost because whether they live on the device encrypted or not people would have access.

 

That said, QNX and RIM have strong reputations when it comes to security so I'm expecting this thing to not get rooted.

 

This whole setup also avoids export issues with the SDK because it will not contain any crypto code.

 

What do you think?

Staff UI Prototyper (read: full-time hacker)


My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

Retired
Posts: 3,708
Registered: ‎10-16-2008
My Device: Z10
My Carrier: Rogers

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

Hi TheMarco,

I'll be standing beside AppWorld and QNX team members for most of the morning. I'll run your ideas past them and see what their plans are in this area
Tim Neil
Director, Application Platform & Tools Product Management
Follow me on Twitter
Developer
Posts: 46
Registered: ‎02-16-2011
My Device: 8300>9000>9700>9900>Z10
My Carrier: Vodafone

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

Sounds good Tim, please do keep us informed.

It is vital that nobody can lift our code! I'd go along with Marco's method of delivering encrypted apps from appworld to the device, and the device to keep a decrypted copy for local use only.
App encryption and security really should be a core part of the Appworld system in my opinion.
Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

Having unencrypted files on the playbook won't help due to the lack of filesystem encryption (major disappointment) unless the files are stored in a separate compartment that is not accessible through a file browsing app.

That even may not be enough if that compartment can be accessed by Javascript scripts or through an API.

 

The only solution would be in-memory decryption with strict access rights, but that sounds like there would be too much overhead.

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Developer
Posts: 669
Registered: ‎02-19-2011
My Device: BlackBerry PlayBook 32GB
My Carrier: Sprint

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

interfaSys of course the unencrypted apps would need to be stored on a partition / in a directory that's not accessible by any filemanager-style app. But this is easy to implement. The compartment should not be accessible by anything except for the OS itself.

 

Like you said, in-memory decryption is not really an option. I'm sure it would be fine for small apps but imagine this with Need For Speed? Smiley Wink

 

I'm not sure filesystem encryption will add a lot of security. Thing is, once the device has been rooted people would have access no matter what. I believe the Palm Pre has an encrypted filesystem (at least there's /var/cryptofs on it) but when you're root and access a commandline you can get to the files just fine (of course).

 

But as I said before, this is RIM + QNX. It's not Linux. I'm going to assume people are not going to be able to root this operating system. 

Staff UI Prototyper (read: full-time hacker)


My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

Developer
Posts: 817
Registered: ‎11-19-2009
My Device: Z10, Q10, 9900, 9790, PlayBook,
My Carrier: T-Mobile UK, Three, O2, Orange, Sunrise, Swisscom

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

Being root doesn't mean you have access to all the files if some partitions need a key to be decrypted. That key can be the user's password (like on Blackberrys).

The lack of filesystem encryption (content protection) is very disappointing because of potential issues like rooting.

--
Olivier - interfaSys ltd
Developing for BlackBerry 10 devices using the Sencha Touch framework.
Developer
Posts: 669
Registered: ‎02-19-2011
My Device: BlackBerry PlayBook 32GB
My Carrier: Sprint

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

The point is, if you have root on a system like that AND you have the user password you can decrypt and read the files. This setup is nice to protect a user's data but not to protect developer sourcecode. A thief with a rooted device could read the files no matter what.

 

the aim of the game is to make sure it never gets rooted.

Staff UI Prototyper (read: full-time hacker)


My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

Retired
Posts: 3,708
Registered: ‎10-16-2008
My Device: Z10
My Carrier: Rogers

Re: [Playbook] Anybody interested in a minifying batch script based on the YUI Compressor?

all files for your app cannot be accessed by other apps or when connecting via file browsing via a network share. The only way two apps can access the same file is if it is placed in the shared access folders
Tim Neil
Director, Application Platform & Tools Product Management
Follow me on Twitter