Are exported games insecure?

system · September 28, 2016, 7:33pm


	Attention	Topic was automatically imported from the old Question2Answer platform.
	Asked By	BeLuckyDaf
	Old Version	Published before Godot 3 was released.

As much as I get it, Godot uses pre-compiled binaries to export games. Is it insecure? And should I be worried so much? Thanks.

How using precompiled binary could be unsecure? Towards what?

Zylann | 2016-09-28 21:22

Do you mean “unsecure” == “easy to be stolen and modified by someone else”?

lukas | 2016-10-07 09:05

Exactly! Can the game be modified by somebody else?

BeLuckyDaf | 2016-10-07 09:13

system · October 6, 2016, 6:52pm


	Reply From:	Freeman

I am not sure I understand your question, but Godot’s source is available to the public https://github.com/godotengine/godot, so you can compile everything yourself, with whatever options make you feel secure. You can strip libraries from the main engine and use only bare minimum of things you use and need in your game. For example, if you are making a 2D game, you can remove all 3D components from the engine during compilation with one simple disable_3d=yesoption.

system · October 7, 2016, 7:44am


	Reply From:	Akien

“Exporting” games means generating an archive with your project’s data (data.pck) and copying the Godot runtime binary as executable to run the project data.

This runtime binary is the same as the editor binary, albeit without editing tools. So basically you should be as concerned about exporting games with pre-compiled binaries than you should be about using the pre-compiled editor binary.

If you don’t trust us (for which I can’t blame you for, I’m also wary of binary distributions), you can compile your editor and templates yourself from source: GitHub - godotengine/godot: Godot Engine – Multi-platform 2D and 3D game engine

What really is prompted here is ability to avoid hacks that give player the unfair perks, especially when it comes to multiplayer features (even if these are just on client side).

But fact is, that there is a cross-platform method to encrypt script, which seems plausible to me: Compiling with script encryption key — Godot Engine (3.1) documentation in English

vintprox | 2019-12-25 16:54

system · October 7, 2016, 6:34pm


	Reply From:	Zylann

It’s not easy for everyone to modify an exported game. Compiled C++ is not straightforward to modify (although possible if you talk x86/amd64 bytecode fluently).
Scripts can be encrypted through the export options in Godot (Scene → Project Settings → Scripts).

However it appears some resources are still in text format even after export, according to this issue: https://github.com/godotengine/godot/issues/6709
So if someone opens an exported game with notepad and finds a location in the +30Mo where text can be seen, the game can be slightly altered.

As said before, you can still compile the engine with whatever you think is good for you, however I have no idea how export will work if export templates are already obfuscated.

If your game is really security-sensitive towards modification of the binaries/assets, I know this option, some people like it, others don’t: https://www.easyanticheat.net/
Robocraft, the game i’m working on, is using it, and it helped a lot reducing the amount of hackers. It’s valuable for online games if you can’t afford implementing security checks yourself. However it’s not free, I don’t know of alternatives yet

Do you have any idea how script encryption can affect performance?

Additionally to your answer (if someone afraids about to have assets stolen): it seems to me that assets can be easily extracted from apk for Android builds and the same probably holds for data.pck.

lukas | 2016-10-09 17:44