encrypting content in standalone stack

LiveCode is the premier environment for creating multi-platform solutions for all major operating systems - Windows, Mac OS X, Linux, the Web, Server environments and Mobile platforms. Brand new to LiveCode? Welcome!

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

Post Reply
markhinnebusch
Posts: 40
Joined: Thu May 17, 2018 7:32 pm
Location: Florida, USA

encrypting content in standalone stack

Post by markhinnebusch » Mon Aug 13, 2018 9:52 pm

It is my understanding that password protecting a stack in standalone will lock the script but not the content. Am I correct that there is no way to prevent someone from opening a stack that is part of a standalone app in the IDE?

I was thinking of having an openStack handler that looked at the environment and, if it was the IDE and the stack was in a standalone app, then quitting. I know about the environment function to tell if open in the IDE but is there some way to check the stack itself and see if it is in a standalone app deployment?

I need to be able to protect intellectual property in fields and while I can encrypt and decrypt, it sure would be nice to be able to lock the stack completely.

Does anyone have any idea how to go about this or if it is even feasible?

thanks,
mark

bwmilby
Posts: 438
Joined: Wed Jun 07, 2017 5:37 am
Location: Henrico, VA
Contact:

Re: encrypting content in standalone stack

Post by bwmilby » Mon Aug 13, 2018 11:16 pm

One possible problem I can see with your approach is "lock messages". If you are in the IDE and lock messages, then the stack won't get the openStack message. So you will need to actually encrypt the stack file itself that has your sensitive data. Then the app will need to decrypt when opening.

Another approach would be to have your stack not contain any of the actual data. Then the data could be stored however is most convenient (flat files, database, etc.) where each record/file is an encrypted blob that the application loads and decrypts as needed. In that case, having the app stack protected will give one level of security for your keys (assuming they are in the code).

Security is a big topic, so I could be missing something.

Thanks,
Brian
Brian Milby

Script Tracker https://github.com/bwmilby/scriptTracker

markhinnebusch
Posts: 40
Joined: Thu May 17, 2018 7:32 pm
Location: Florida, USA

Re: encrypting content in standalone stack

Post by markhinnebusch » Mon Aug 13, 2018 11:42 pm

I misstated. I shouldn't have used "lock the script". When you password protect a stack, then a password is required to see the scripts in the IDE. What I would like is to be able to hide the field contents as well or, preferably, prevent the stack from being opened in the IDE at all if it is part of a standalone deployment.

Using an openStack to quit if in the IDE would work except I need to be able to tell if the stack is part of a standalone deployment because I want to be able to open the stack for maintenance in the IDE if it isn't a standalone. I guess I could add the openStack, build the standalone, and then delete the openStack after deployment but that's pretty kludgy.

So, I guess what I am looking for is a way to determine if a stack is part of a standalone deployment or not.

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9802
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: encrypting content in standalone stack

Post by FourthWorld » Tue Aug 14, 2018 1:36 am

A standalone can't be opened in the IDE. Once rendered into an executable, the attachment of the engine changes the structure of the file such that the IDE won't know what to do with it.

That said, everything is hackable. Any content that can be seen can be copied. Any data in RAM can be dumped.

If your app contains truly critical data you'll want to use encryption on the data outside of the executable, requiring either a strong password to access or a private/public key pair. Even then, once decrypted it will still have the same potential vulnerabilities as anything else. Like the old saying goes, local access = root. At that level it's all about controlling physical premises.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: encrypting content in standalone stack

Post by bogs » Tue Aug 14, 2018 2:31 pm

FourthWorld wrote:
Tue Aug 14, 2018 1:36 am
A standalone can't be opened in the IDE.
True enough, but if I read his sentence correctly, he may be talking about stacks included in a 'standalone deployment', not parts of the actual standalone (like the IDE is deployed). I *think* that is what he actually means, I could be wrong though :)

@ markhinnebusch,
Richard pretty much covered what I understand your question to be, because broadly speaking, there is no way to accomplish what your talking about due to the way computers work at the most basic levels. Otherwise, DRM schemes would not exist (which don't work either depending on the skill level of the person trying to work around them).

But I do find some of your questions interesting thought puzzles nonetheless.
What I would like is to be able to hide the field contents as well or, preferably, prevent the stack from being opened in the IDE at all if it is part of a standalone deployment.
I assume you have some kind of default projects folder. even If you develop across a number of machines. This *should* work if the folder has the same name regardless of machine using the environment test (if your not in the IDE, you want to skip the test).

Code: Select all

on preOpenStack
   set the itemdelimiter to "/"
   // you can set as many parts of the path as you want...
   // determine which Os your on, either using case or if/then...
   if "/home/Desktop" is not among the items of the long name of this stack  then answer "nope!"
   // change answer "nope!" to close/quit stack with destroy set to true...
end preOpenStack
I tested this and it works pretty much as you'd expect it to.
Selection_001.png
Test
As long as the stack is in your projects folder, it will open in the IDE. On deployment, it would no longer be in your projects folder, and therefore should close and be removed from memory immediately on starting to open in the IDE, although if I am incorrect in this assumption on how destroy stack works, I hope someone will correct me :mrgreen:

You could also use any number of other qualifiers as a test, I would suspect. Just keep in mind this is not going to stop anyone determined and skilled enough from doing what they want.

*Edit - I shouldn't have to add this, but I sure hope your projects folder path doesn't include "home/Desktop" :P

The more specific the test, the less likely it is any deployment folder would be in the same place.
Image

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9802
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: encrypting content in standalone stack

Post by FourthWorld » Tue Aug 14, 2018 4:37 pm

bogs wrote:
Tue Aug 14, 2018 2:31 pm
FourthWorld wrote:
Tue Aug 14, 2018 1:36 am
A standalone can't be opened in the IDE.
True enough, but if I read his sentence correctly, he may be talking about stacks included in a 'standalone deployment', not parts of the actual standalone (like the IDE is deployed).
It might be. I was responding to:
a stack that is part of a standalone app
...but that might mean all sorts of things. Hopefully we'll learn more when he resurfaces.

In addition to the physical structure of his deployed assets, it'll be helpful to learn just how sensitive the data is and the scenarios in which it will be used. What's needed for nuclear secrets is a bit more costly than what would be practical for protecting a pumpkin bread recipe.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

markhinnebusch
Posts: 40
Joined: Thu May 17, 2018 7:32 pm
Location: Florida, USA

Re: encrypting content in standalone stack

Post by markhinnebusch » Tue Aug 14, 2018 5:31 pm

It is somewhere between nuclear secrets and pumpkin bread, LOL. It is course material. What a meant were stacks included as copy files, not actually in the executable. The idea of checking location is a great idea, but overnight I had a thought. If the malicious user turns off messages before opening the stack, would the preOpen handler ever get called? I'm starting to think that there is really no way to avoid encryption. Sigh...

Thanks for the help!

mark

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9802
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: encrypting content in standalone stack

Post by FourthWorld » Tue Aug 14, 2018 10:01 pm

Would it be practical to store the content externally from the UI? That would give you file encryption options.

You could also do that with a stack: read a stack file as binary into memory, encrypt it, write it to disk. To read, read as binary, decrypt, and use "go stack <variablename>" to open it from RAM.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: encrypting content in standalone stack

Post by bogs » Wed Aug 15, 2018 1:15 am

Richard's suggestions certainly have advantages over what I suggested, although still not unbreakable, it would certainly up the skill levels needed.
Image

markhinnebusch
Posts: 40
Joined: Thu May 17, 2018 7:32 pm
Location: Florida, USA

Re: encrypting content in standalone stack

Post by markhinnebusch » Fri Aug 17, 2018 6:16 pm

I really like the idea of encrypting the entire stack! Thank you! I think this is pretty much foolproof.

markhinnebusch
Posts: 40
Joined: Thu May 17, 2018 7:32 pm
Location: Florida, USA

Re: encrypting content in standalone stack

Post by markhinnebusch » Mon Sep 10, 2018 5:38 pm

I'm posting my solution in case someone trips across this thread.

I wrote a livecode encrypt/decrypt utility and I encrypt the stacks before putting them on my server for download. When I start my livecode program, I look for those encrypted update stacks and if they exist, I save the old encrypted copy on the local machine (for recovery, in case of error) and download the new version. I close the existing stack, decrypt the new file and reopen the stack. I then hide the stack and delete the decrypted .livecode file. In this way, the decrypted stack only exists for a brief time on the disk. When the program closes, it encrypts the new stack and saves the encrypted copy to the user's disk. In this way, no .livecode files exist on the user's machine except for a very brief time.

To round things out, when the program starts, it looks at the environment and, if in standalone, checks to see if the livecode IDE is running. If so, it throws an error message and quits. At various points in the program, that check is made again. In this way, no nefarious user with livecode installed can open the decrypted files during their brief existence.

And, of course, all of the stacks are password protected to secure the scripts.

It still isn't foolproof, but it is good enough that the intellectual property owner is satisfied.

Thanks for all of your input.

--mark

Post Reply

Return to “Getting Started with LiveCode - Experienced Developers”