3

We are building a Unity3D plugin. Any game that uses our plugin, when built for some platform also includes our plugin in a form of a dynamic library for that platform. For example, when Android apk is exported from Unity, it will contain our library xyz.so. The library is written in C++.

How can we protect our dynamic library from being stolen? It seems that anybody could "unzip" an apk Android package, take our library, get exports, take documentation from our free trial, and finaly use the library without being a licensed customer. Are there protection models that are recomended in this use case?

Danijel
  • 8,198
  • 18
  • 69
  • 133
  • the very short answer is it's almost impossible to "really, ultimately" protect your stuffs in this situation, unfortunately. not to mention it's easy to discombobulate the source code sadly! – Fattie Jan 19 '16 at 17:34
  • OK..., but which is the "standard" way of protecting things like this without complicating too much for the customer? – Danijel Jan 19 '16 at 17:59
  • Indeed - I don't know the current, most typical, solution! :) I'm waiting with you to hear. It's either that or wade through the dross on answers.unity3d :/ – Fattie Jan 19 '16 at 19:02
  • PS I guess you googled "Unity3D DLL obfuscation" ... example http://forum.unity3d.com/threads/unity3d-c-dll-code-protection-encrption-obfuscation.149098/ .. "obfuscation" is the useful term here. – Fattie Jan 19 '16 at 19:03

1 Answers1

2

Well, even though it's much harder than with Managed Code, C++ code can be disassembled and thus broken. This however is hard work and only worth it if you have a great mass of consumers. People with such skills will much rather hack the most recent popular AAA game, than wasting their time with a third party Unity library.

This being said: yes you should be able to protect your library. Just have a license key validator in your C++ library. The library refuses to work until it has been presented a license key that it was able to successfully validate.

The license might be

License =
{
    key=[ Owner-Identification, App-Identifier ],
    verification=(Signed hash of key)
}

where key can be used by you to identify the owner of the key, and also by the library to ensure that the license only works for Apps with that specific App-Identifier. verification is a hash of key signed with a private key only you know. The matching public key is known to the library and can be used to verify that the license was created by you, and only you.

If you have this code in your library and obfuscate your code using c++ obfuscation tools you should be quite safe. If you don't obfuscate, you should still be quite safe actually.

Edit: you can even do trials with this model. Just add a License-Expire-Time to the key and your library can stop working when that time has passed.

One possible implementation might be:

A file containing both the key in cleartext (so that your code and if so desired even a human can read and understand it) and also containing the signed hash (hash of the key, encrypted with your private key).

The code would read the key and calculate its hash using the same hash algo. It also would decrypt the signed hash using the public key. If both hashes are the same, the code can be sure that the key is valid and can progress to checking its contents: is the key not expired (Expire-Time), is the key meant for this specific app (App-Id), etc etc.

Thomas Hilbert
  • 3,559
  • 2
  • 13
  • 33
  • Thanks Thomas. Which part is input to a hash algorithm? Is it a key? Or is it user data (owner name, app name, etc.)? How do I get a key from owner name, app name, etc? – Danijel Jan 28 '16 at 15:36
  • The key is just the sum of all the data you want to put in. You might for example just append all the data into one string. This string is then your key, and you calculate the hash from that key. – Thomas Hilbert Jan 28 '16 at 15:50
  • OK. How would this work in practice? Would it have to be license file? File where all the data would be specified, and the file would be signed with (encripted) hash? – Danijel Jan 28 '16 at 15:57
  • Also, I need a name for an SDK that would do the above protection? :-) The SDK would take data from input file and "sign" it with a encrypted hash. – Danijel Feb 18 '16 at 08:34