Reputation: 1155
Securing WebGL game code
As seasoned web developer I understand that javascript code cannot be secure, but only minified/obfuscated.
However, many game engines are confident enough to allow their engine code and the customer's game code to be downloaded and visible in the client/browser.
-
Attempting to understand how Unity3D does it, I came across the following breakdown of the files that are downloaded by the client/browser:
A MyProject.asm.framework.unityweb file containing the asm.js runtime and JavaScript plugins.`
A MyProject.asm.code.unityweb file containing the asm.js module for your player.
A MyProject.asm.memory.unityweb file containing a binary image to initialize the heap memory for your player.
A MyProject.data.unityweb file containing the Asset data and Scenes.
Source: https://docs.unity3d.com/Manual/webgl-building.html
-
Then I saw they are using emscripten to compile their C/C++ code to Javascript:
To run in WebGL, all code needs to be JavaScript. We use the emscripten compiler toolchain to cross-compile the Unity runtime code (written in C and C++) into asm.js JavaScript. asm.js is a very optimizable subset of JavaScript which allows JavaScript engines to AOT-compile asm.js code into very efficient native code.
Source: https://docs.unity3d.com/Manual/webgl-gettingstarted.html
-
Questions:
- Is it Emscripten and/or asm.js that is securing the Javascript code somehow? How?
- Is it even secure? If I try really hard I could "steal" something from this code and write a hack/cheat for a game: https://files.unity3d.com/jonas/AngryBots/Release/AngryBots.js
- If I've already written a javascript game, what can I do now to do what Emscripten does for Unity3D games? (assuming #2 is true)
Upvotes: 1
Views: 3988
Answers (1)
Reputation: 3923
Is it Emscripten and/or asm.js that is securing the Javascript code somehow?
No, those are just part of the toolchain that compiles unity -> webgl code -> javascript
Is it even secure?
No, nothing is secure. If you have a popular game, people will hack it.
If I've already written a javascript game, what can I do now to do what Emscripten does for Unity3D games?
For any games meant to be played in the web browser you should be compiling to WebAssembly that's the standard now, this coming a year after you posted your question. Read more about Unity + Web Assembly
If you're compiling to WebAssembly the binary it exports is difficult to reverse engineer, but not impossible. There are already tools available that can help do that.
At the end of the day, you can't stop client side hacks. Calculate all the important stuff on the server like currency, health etc.., otherwise you have to trust the client with some stuff.
Upvotes: 2
Related Questions
- Prevent Javascript games tweaking/hacking
- creating an anti cheat in an online web game
- What good ways are there to prevent cheating in JavaScript multiplayer games?
- How can you implement an anti-cheat in a JS game?
- Protecting the sources of HTML5 game
- How to secure Flash Games from Cheat Engine?
- How to secure javascript based multiplayers games
- How can i prevent Cheat engine for my single player flash games?
- cheat prevention for browser based xmlhttp/js/perl/php game
- What are the methods of protecting JavaScript web applications/games?