HTML5 Is an HTML5 published game secure from being copied?

[dna48]

Hello,

Just as asked on the post title. I was wondering whether the HTML5 games that are published on a webserver are protected from being copied alltogether or even modified.

• Let's imagine i publish an HTML5 game with just some Ads on the html page that contains the game:

I guess in that case someone could donwload the full game, copy it to other server and just have it running for free without ads or just copy the main html page that loads the game and add his own advertisment on another domain of his own. Is this possible?​

• Another thought is. Let's imagine i have published an HTML5 game that contains some images that show some email addresses or some links or info.

Can someone just copy all the game and then edit the image files with those mail, developer name, logo, etc and make it his own just using his own versions of the images?​

• Another idea. If i publish the HTML5 game and it has coded inside some advertisement mechanism.

Can someone download the game, try to deofuscate it (if possible) and just change the api key or the ad company id and make it their own with their own code?​

I would like to know what is the correct approach and security methodologies you guys follow when publishing your HTML5 games or any recommendation. I was considering using some steganography on the images to check if they are valid and in case the code ofc cannot be deofuscated. And maybe use some hash validation of the files and check on the server side or in the ofuscated code to make sure that they are being executed from the proper domain, etc.

Thanks.

 

[GMWolf]

Aside from obfuscating, there isnt much you can do.
Yes, someone culd do any of these three things you mentioned. Protecting against it is hard, if not practically impossible. The trouble is with how JS works. The browser needs the raw code to run.

I would suggest you put a copy of your game on the appstore and play store as many html5 ga,es get riped and published there. You may aswell be the first.

 

[dna48]

@Fel666 Thanks a lot for your reply. Definetely i agree with you.

Seems there is a function

sha1_file(filename)

In gamemaker that gives back the sha1 hash of each file. I think that could be a nice start. Provided that the game code is ofuscated (because if not everything is definetely lost) enough against "normal" attackers, maybe the file resources (that are being plainly showed in the web folders) could be checked against a sha1_file hash when they are loaded or are going to be used to make sure that they have not been modified. But hey, maybe gamemaker does it by default with its own ofuscation security measures and i could avoid losing time with this?

Regarding the ip from where the code is executed. It seems in "Preferences" "Web Server" we have these configuration parameters:

That i hope their objective could help make sure that the game only is executed from a certain webserver/ip or web directory?

I am ofc not trying to find the total security as against a determined enough attacker probably nothing can be done, but just would like to know what is the recommended procedure to follow when publishing HTML5 not only for the game itself but to avoid cheating, or having a copy with a domain very close to yours with a 1 instead of an L (Silly Example: www.spacelnvaders.com/www.spaceinvaders.com) that is stealing your customers etc.

 

[dna48]

Opened a bug (should be feature request) with a couple ideas.

 

[jackhigh24]

you can get websites shut down very easy if they are using a similar name to yours and its offering similar products, i had there isp owners take 3 down for infringing on my sites name.

 

[dna48]

@jackhigh24 thanks for replying. that is a great idea but i would prefer to have to do that as the last option.

Another thing that would probably help is have a feature request with zip_unzip but with password that seems GM does not support. So the game resources would be in a protected zip and its code behind the ofuscated code