Are exported games insecure?

+2 votes

As much as I get it, Godot uses pre-compiled binaries to export games. Is it insecure? And should I be worried so much? Thanks.

in Engine by (38 points)

How using precompiled binary could be unsecure? Towards what?

by (28,789 points)

Do you mean "unsecure" == "easy to be stolen and modified by someone else"?

by (675 points)

Exactly! Can the game be modified by somebody else?

by (38 points)

3 Answers

+4 votes
Best answer

It's not easy for everyone to modify an exported game. Compiled C++ is not straightforward to modify (although possible if you talk x86/amd64 bytecode fluently).
Scripts can be encrypted through the export options in Godot (Scene -> Project Settings -> Scripts).

However it appears some resources are still in text format even after export, according to this issue: https://github.com/godotengine/godot/issues/6709
So if someone opens an exported game with notepad and finds a location in the +30Mo where text can be seen, the game can be slightly altered.

As said before, you can still compile the engine with whatever you think is good for you, however I have no idea how export will work if export templates are already obfuscated.

If your game is really security-sensitive towards modification of the binaries/assets, I know this option, some people like it, others don't: https://www.easyanticheat.net/
Robocraft, the game i'm working on, is using it, and it helped a lot reducing the amount of hackers. It's valuable for online games if you can't afford implementing security checks yourself. However it's not free, I don't know of alternatives yet :/

by (28,789 points)
selected by

Do you have any idea how script encryption can affect performance?

Additionally to your answer (if someone afraids about to have assets stolen): it seems to me that assets can be easily extracted from apk for Android builds and the same probably holds for data.pck.

by (675 points)
+2 votes

I am not sure I understand your question, but Godot's source is available to the public https://github.com/godotengine/godot, so you can compile everything yourself, with whatever options make you feel secure. You can strip libraries from the main engine and use only bare minimum of things you use and need in your game. For example, if you are making a 2D game, you can remove all 3D components from the engine during compilation with one simple disable_3d=yesoption.

by (721 points)
+1 vote

"Exporting" games means generating an archive with your project's data (data.pck) and copying the Godot runtime binary as executable to run the project data.

This runtime binary is the same as the editor binary, albeit without editing tools. So basically you should be as concerned about exporting games with pre-compiled binaries than you should be about using the pre-compiled editor binary.

If you don't trust us (for which I can't blame you for, I'm also wary of binary distributions), you can compile your editor and templates yourself from source: https://github.com/godotengine/godot

by (1,945 points)

What really is prompted here is ability to avoid hacks that give player the unfair perks, especially when it comes to multiplayer features (even if these are just on client side).

But fact is, that there is a cross-platform method to encrypt script, which seems plausible to me: https://docs.godotengine.org/en/3.1/development/compiling/compiling_with_script_encryption_key.html

by (10 points)
Welcome to Godot Engine Q&A, where you can ask questions and receive answers from other members of the community.

Please make sure to read How to use this Q&A? before posting your first questions.
Social login is currently unavailable. If you've previously logged in with a Facebook or GitHub account, use the I forgot my password link in the login box to set a password for your account. If you still can't access your account, send an email to webmaster@godotengine.org with your username.