How to protect freemium HTML5 from variable modification?
Some people have asked similar questions about securing HTML5 apps and securing freemium apps, but not both. I'm asking this separately because I have the impression (right or wrong) that HTML5 is particularly insecure against native.
I am working on an embedded HTML5 application. I want to monetize using a freemium model, but I am worried about how to keep my virtual currency and scoring variables from being too easily confused by the end user, as I fear this could negatively impact revenue if some hacker (no offense to which calculated this term) had to create a YouTube video or blog about the exploit. I think it is very unlikely early on for this to happen, but I think the vulnerability will matter more with popularity. I am also worried about someone copying the application.
I understand that both are possible with an application installed on the device.
My questions:
- How easy is it in your opinion or experience to unobfuscated an embedded (browser-independent) HTML5 application and its Javascript versus a native application with core files based on Java or Objective-C data? / How well does obfuscation work in HTML5 applications and based on application obfuscation in terms of data protection?
- How difficult is it to obfuscate an HTML5 app and use something like Proguard in regular Android apps?
- Is obfuscation causing HTML5 to noticeably slow down for casual users?
- Finally, do you think it's practical to have a freemium HTML5 app? Or do you personally think this is too vulnerable?
What I'm basically trying to figure out with them is whether HTML5 is particularly vulnerable or difficult to secure, at least compared to native app security. If a convoluted HTML5 app is safe or unsafe like a regular app, then I think I'm fine with it.
source to share
The only way to prevent cheating (and unlocking freemium elements is kind of cheating) is to move all relevant game logic to the server. Forget about obfuscation. When executed on the client machine, it is under the user's control. Obfuscation can slow the user down, but he cannot stop someone who decides to hack him. This applies not only to javascript, but to every game client, no matter what programming language it is written in.
A general rule of thumb in the development of cheating multiplayer games is to never trust the client and do all the calculations that are relevant to the gameplay on the server.
source to share
In my opinion, it is better to obfuscate and never trust the client. Not only that, I would even compress the running code, and I would add a decompressor obfuscation in the client and / or server. The technique is viable and this is what professional companies use all over the internet.
Now to answer your questions:
- It's not easy to mess around with properly obfuscated code (something that will require you to squeeze / glue even numbers). Professional hackers won't mess with your code "for sports" unless they are given the money to do it, and even so it will be difficult for them to do this (why I don't believe in "forgetting about obfuscating" thinking).
- Obfuscation works very well in terms of data protection. Your code becomes unreadable and, to some extent, can be viewed as therefore it reduces file size and download times.
- Obfuscation is easy if you rely on professional tools that can obfuscate like JS, html5, css and php together. It's only harder if you need to develop such tools. But there is open source software in the field as well.
- It slows down "normal users" definitely, they feel lost before you code.
- It's practical to have an HTML5 app with freemium features, but it all depends on how you implement those options.
- If done correctly, as stated above, it is less vulnerable, but personally I don't like this business model.
source to share