Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support to custom random seed #116

Merged
merged 3 commits into from
Nov 6, 2024
Merged

feat: add support to custom random seed #116

merged 3 commits into from
Nov 6, 2024

Conversation

davidmartos96
Copy link
Contributor

Hello!
I'm using the obfuscate feature from clean builds in CI/CD, but every build is generating different output, so checks that I have for unchanged autogenerated files are failing.

My proposed solution is to provide optionally a seed for the random number generator.

@techouse
Copy link
Collaborator

techouse commented Nov 4, 2024

LGTM!

@petercinibulk @ThexXTURBOXx can you throw an eye on this pls?:)

@techouse techouse self-assigned this Nov 4, 2024
ThexXTURBOXx
ThexXTURBOXx suggested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@ThexXTURBOXx ThexXTURBOXx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some documentation changes

packages/envied/lib/src/envied_base.dart Show resolved Hide resolved
packages/envied/lib/src/envied_base.dart Show resolved Hide resolved
techouse and others added 2 commits November 4, 2024 14:00
@techouse @ThexXTURBOXx
Update packages/envied/lib/src/envied_base.dart
d32a5ff 
Co-authored-by: Nico Mexis <nico.mexis@kabelmail.de>
@techouse @ThexXTURBOXx
Update packages/envied/lib/src/envied_base.dart
fda513e 
Co-authored-by: Nico Mexis <nico.mexis@kabelmail.de>
@techouse techouse requested a review from ThexXTURBOXx November 4, 2024 14:00
@techouse
Copy link
Collaborator

techouse commented Nov 4, 2024

Just some documentation changes

Good idea. I updated the PR.

@davidmartos96
Copy link
Contributor Author

@ThexXTURBOXx What are the implications from not using .secure()?
In the end, isn't the "randomly generated list of numbers" contiguously in memory after obfuscation?
Does it really matter how the numbers were generated?

@ThexXTURBOXx
Copy link
Contributor

Good idea. I updated the PR.

Thanks! :)

What are the implications from not using .secure()?
In the end, isn't the "randomly generated list of numbers" contiguously in memory after obfuscation?
Does it really matter how the numbers were generated?

Coming from a hardware security standpoint, yes, it does matter how they were generated.
A simple brute-force scenario could try to reproduce parts of the resulting binary using the same (P)RNG configuration that was used when generating the XOR key.
If that succeeds, one knows (1) the location of the key and hence (2) the key and the encrypted data next to it and thus (3) the decrypted data.
Yes, basic utilities like strings will still not be able to extract the data in a meaningful way, but the predictability makes searching for the data very easy with PRNGs (especially when the initial configuration is known).

One could always extract the decrypted data directly from memory, but that was not the point the obfuscation in the first place.
That is also what I initially pointed out when creating the PR - there are still rather "easy" ways to extract the data.
But by going this route of argumentation you will always end up with the conclusion that you should not include secret data in your app, but have it in some kind of cloud service, where it is securely stored and never able to leave it.
The obfuscation possibility is just to keep "script kiddies" away from trying to steal your secrets that you are too lazy to store securely elsewhere :)

@davidmartos96
Copy link
Contributor Author

@ThexXTURBOXx Thank you for the detailed answer! Didn't think about brute forcing patterns in the binary.

@techouse techouse merged commit 3a13952 into petercinibulk:main Nov 6, 2024
3 checks passed
@techouse techouse mentioned this pull request Nov 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThexXTURBOXx ThexXTURBOXx ThexXTURBOXx approved these changes

@techouse techouse techouse approved these changes

@petercinibulk petercinibulk Awaiting requested review from petercinibulk petercinibulk is a code owner

Assignees

@techouse techouse

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidmartos96 @techouse @ThexXTURBOXx