Creating Closed Source Apps

[physicsclassroom]

I have a commercial license so I presumably should be able to create "closed-source apps." I have some apps on the Android store but a buyer can download the app to their computer and view all my scripts using the Community version of LiveCode. What must I do to keep my source code closed and to prevent this from happening? I seem to be missing something really BIG.

[Klaus]

Hi physicsclassroom,

in the standalone builder settings "Stacks" select all your (sub-)stacks and check "Encrypt with password", see attachment.

Best

Klaus

[physicsclassroom]

Hi Klaus,

That looks easy enough. However, there are two problems. First, when I open my main stack, it is greyed out in the stacks pane so that I am unable to select it and chose the Encrypt with password. Second, while I have several stacks included in the app bundle, all of them are included in the Copy Files tab. I think I remember there being a reason I did it this way but I'm not exactly sure I remember the reason as it was a decision I made about a year ago.

If I open the individual stacks included in the bundle, a few of them allow me to select Encrypt with Password in the Stand Alone App Settings. Others do not.

Any ideas as to why the option is greyed out? I just checked and I have a LiveCode Indy version good until 2017.

[quailcreek]

Hi physicsclassroom,
If the standalone setting are set to either iOS or Android, Encrypt with password is greyed out.

[physicsclassroom]

Yep. That was it; once I change unchecked the iOS build button, I was able to password protect my main stack. Thank you.

Anyone know how to protect a stack that is included in the bundle but not part of the main stack?

[FourthWorld]

Anyone know how to protect a stack that is included in the bundle but not part of the main stack?

Code: Select all

set the password of stack "stackname" to "password"

To access scripts in the IDE without changing the password:

Code: Select all

set the passkey of stack "stackname" to "password"

[physicsclassroom]

Thanks Richard. Would these scripts go in an openStack handler?

[FourthWorld]

Thanks Richard. Would these scripts go in an openStack handler?

NEVER EMBED PASSWORDS FOR ANYTHING IN ANY SCRIPT IN ANY LANGUAGE ANYWHERE.

Pardon the all-caps, but now and then I see newcomers tempted to do that and it's a nasty security issue so easily avoided and so devastating when not. I've seen it in bash more than a few times, where the ill effects can be system-wide. Not sure how that becomes something people do, but hopefully we're all just a few more screaming all-caps messages on the Internet away from ending the practice forever.

I would just run those from the Message Box, or if you do it often perhaps from a plugin stack you can make for use in your own system. Setting the password only needs to be done once so it's probably not worth making a button to do that. As for passkey to edit scripts while I'm working, in some projects I have a substack that has utilities I use during development and in that I'll add a button with something like this so I can unlock everything in the stack file at once:

Code: Select all

on mouseUp
  ask "Passkey for all stacks in this stack file:"
  if it is empty then exit to top
  put the mainstack of this stack into tMainStack
  set the passkey of stack tMainStack to it
  repeat for each line tSubstack in the substacks of stack tMainStack
     set the passkey of stack tSubStack to it
   end repeat
end mouseUp

[Simon]

Scott Rossi showed me a cool way.
Have a totally separate stack somewhere on your drive with the passkey in a custom property.
Then in your openStack

Code: Select all

if there is a file "c:/user/blah/blah/myPasskey.livecode" then
set the passkey of this stack to the cPass of stack "c:/user/blah/blah/myPasskey.livecode"

I guess you could even just use a text file. Just keep your product stack far away from your passkey stack.

Simon

[[-hh]]

If the standalone setting are set to either iOS or Android, Encrypt with password is greyed out.

To be complete, enlarge to: "either iOS or Android or HTML5"

[physicsclassroom]

I would just run those from the Message Box, or if you do it often perhaps from a plugin stack you can make for use in your own system. Setting the password only needs to be done once so it's probably not worth making a button to do that

.

OK. So if I understand you correctly, the idea is to save the password to the stack during development and then the scripts of that stack becomes password protected forever or until the password is set to Empty. When the stack is saved with the stand-alone bundle, any Android user who extracts the stack from the bundle will not be able to look at any scripts of that stack without knowledge of the password. Is that the idea?

[FourthWorld]

So if I understand you correctly, the idea is to save the password to the stack during development and then the scripts of that stack becomes password protected forever or until the password is set to Empty. When the stack is saved with the stand-alone bundle, any Android user who extracts the stack from the bundle will not be able to look at any scripts of that stack without knowledge of the password. Is that the idea?

Yep.

[physicsclassroom]

Thanks to all. I'm feel confident I can improve the security of my apps.

[KimD]

Hi

Hi physicsclassroom,
If the standalone setting are set to either iOS or Android, Encrypt with password is greyed out.

Many months ago I set a password for my (Indy License) iOS & Android standalones using LC7. I've now subsequently installed LC8. As noted above - the Standalone App Settings > Stacks tabs with the password is now greyed out. Are my iOS & Android standalones password protected or not?

Thanks in advance

Kim

[trevix]

I think there is still a problem that frustrates the passkey method:

- You create a Standalone that opens a password protected stack.
- On opening the stack, your script "set the passkey of stack xx to "password" (because of how it works, copying things etc, your stack scripts needs to be unlocked in order to function).

In order to steal your password protected script, I can:

- open your stack in LC (may be after setting the lock messages to false)
- add a group with the following script:
On OpenControl
put the script of this stack into tPath
end OpenControl
- save the stack

The next time I run the Standalone, the "protected" script will be saved to tPath !

So, as Andy Piddock cleverly wrote in this other post (Encryption for file vs Standalone App) the only solution is to keep password protection during most of the operation, then momentarily remove the password for operations that don't work with the password protection.

I wish there was a way to block the opening of a stack from the IDE: in this way nobody could add malicious scripts to a stack.
Trevix