How do I contact the Ouya Team to request making offline validation as easy as online? They've listened about the joysticks and recovery options.
If ouya included some way of offline validation through their ODK, that would make things much easier to pirate. They would only have to figure it out once, then apply on all games.
Its not hard to do yourself, and its safer too.
I made the OUYA exclusive games Cube and Creature and Hellworm! evgiz.net
How do I contact the Ouya Team to request making offline validation as easy as online? They've listened about the joysticks and recovery options.
I'm not sure that the Ouya Team should have anything to do with offline validation because that really has nothing to do with their servers or their system necessarily.
At the simplest level, at the moment a purchase is made you would just save an integer into your game preferences, local filesystem, or whatever persistent storage you have. Then, the next time the game is started without internet access you would just read that integer out of your persistent storage to see if the purchase has been made already. Presto - offline validation.
Of course, this is easy to pirate by just copying the app and its associated data to another device. If you don't care, then you're already finished. Super easy!
If you do care, just put extra security layers on top of that. Obfuscate the key name - call it "PenaltyTimeAccumulated" instead of "PurchasedFullGame". Obfuscate the value - instead of storing a 0 or 1, store a 12 or a 42. You could even store off an MD5 hash of your entire persistent data storage file. Then, whenever you start the game, check that hash. If the hash doesn't match, someone has tampered with the persistent data storage. There's lots of little tricks you can do to make the pirate's job harder. You just need to decide how far you want to go.
For serious levels of offline security, do AES encryption on the integer value using device ID, game ID, and key name as the encryption key. That will prevent hackers from just copying the encrypted value from key to key, game to game, or device to device. Each encrypted value will then only work on a particular key/game/device combination. Then, for a hacker/pirate to be able to do anything with that encrypted value they would need to crack the AES encryption. And if somebody is able to crack your AES encrypted game data then they're a big-time hacker and would probably be better off using that skill to hack into banks and the NSA.
Of course, there are still other attack vectors, but mostly beyond the scope of my knowledge and into the realm of serious security programming techniques. The encrypted key might only work with one device ID, but people can hack their device ID. Could maybe fix that by adding Ouya ID to the encryption key. People can attach debuggers to their device and view the contents of your device's memory as the game runs to extract the encryption key. Still extremely difficult but technically possible. In the end, nothing is perfect... but you can still make a hacker/pirate's job pretty annoying and impractical.
Personally, I plan on AES encryption for locally storing my secure purchase data and leaving it at that.
We will have to agree to disagree on that StoicHamster. Supporting online only is a bad strategy and not popular. End users will accept anything until they go offline and can't play their game.
If ouya included some way of offline validation through their ODK, that would make things much easier to pirate.
I don't see why it would be significantly more vulnerable than it currently is. Someone could also hack the code responsible for the online checks and fake them to always return a successful purchase.
If ouya included some way of offline validation through their ODK, that would make things much easier to pirate.
I don't see why it would be significantly more vulnerable than it currently is. Someone could also hack the code responsible for the online checks and fake them to always return a successful purchase.
You mean the code in the OS?
If you mean the game then its much harder if all games have different validation code.
I made the OUYA exclusive games Cube and Creature and Hellworm! evgiz.net
The basic premise here is that you shouldn't expect to change the fundamental expectations of a customer. A game is theirs once they purchase it. That right shouldn't go away because their cable connection goes out.
The reason Ouya should support offline validation has more to do with how we want to change the industry rather than force consumers to do what is easy for us.
I don't see why it would be significantly more vulnerable than it currently is. Someone could also hack the code responsible for the online checks and fake them to always return a successful purchase.
You mean the code in the OS?
Yes. If someone hacks the Ouya SDK code responsible for online checks, it doesn't matter what clever way you come up with for storing purchase information locally for your game.
If Ouya added code for storing purchases offline, I see no reason in principle why that code would be more or less secure than the current online-only checks.
The basic premise here is that you shouldn't expect to change the fundamental expectations of a customer. A game is theirs once they purchase it. That right shouldn't go away because their cable connection goes out.
The reason Ouya should support offline validation has more to do with how we want to change the industry rather than force consumers to do what is easy for us.
Developers are going to do what they want with how their game works, and they might lose a few customers over it but in the end its their decision. Not everyone shares the same views as you.
Ouya at this point is trying to gain developers and cant afford to impose a ton of restrictions and rules and lose any. They are still trying to get well established and its no secret. This is a controversial topic any way you look at it weather it be from the developer side, the customer side or even OUYA's side.
In the end, no one is twisting your arm telling you to do or buy anything.
Ouya at this point is trying to gain developers and cant afford to impose a ton of restrictions and rules and lose any. They are still trying to get well established and its no secret.
Actually, this is exactly when they should be setting standards and restrictions on their titles. The more stringently OUYA titles follow console standards, the better the console as a whole looks to users, and the more seriously developers are going to take it.
A few high-quality, standards-compliant titles are better for OUYA than a thousand buggy shovelware ports.
It's fairly late since the last post, but I'm pretty annoyed at the DRM on the Ouya. The worst part is there's no way of telling which software uses the always online requiring DRM. This is a big issue for me, as my Ouya is too far away to use the wireless(all my other wireless devices are fine, the Ouya is the only console too weak to connect to the router) and wired is not an option.
I've bought two things from the Ouya store, Polarity and Kainy. Both check each time I launch them, Polarity actually checks for every single level. I cannot use either due to the fact I can't get my Ouya online when I move the Ouya to the location I wish to use it in.
Games are required to work offline too now (unless its an online game ofc), otherwise they'll be rejected. There was an issue with the caching code on one of my games that made offline play impossible, and I was told had to fix that before publishing the game to the store.
Its probably only the games not updated since they added that requirement that still have DRM.
I made the OUYA exclusive games Cube and Creature and Hellworm! evgiz.net
Comments
If ouya included some way of offline validation through their ODK, that would make things much easier to pirate. They would only have to figure it out once, then apply on all games.
I made the OUYA exclusive games Cube and Creature and Hellworm!
evgiz.net
At the simplest level, at the moment a purchase is made you would just save an integer into your game preferences, local filesystem, or whatever persistent storage you have. Then, the next time the game is started without internet access you would just read that integer out of your persistent storage to see if the purchase has been made already. Presto - offline validation.
Of course, this is easy to pirate by just copying the app and its associated data to another device. If you don't care, then you're already finished. Super easy!
If you do care, just put extra security layers on top of that. Obfuscate the key name - call it "PenaltyTimeAccumulated" instead of "PurchasedFullGame". Obfuscate the value - instead of storing a 0 or 1, store a 12 or a 42. You could even store off an MD5 hash of your entire persistent data storage file. Then, whenever you start the game, check that hash. If the hash doesn't match, someone has tampered with the persistent data storage. There's lots of little tricks you can do to make the pirate's job harder. You just need to decide how far you want to go.
For serious levels of offline security, do AES encryption on the integer value using device ID, game ID, and key name as the encryption key. That will prevent hackers from just copying the encrypted value from key to key, game to game, or device to device. Each encrypted value will then only work on a particular key/game/device combination. Then, for a hacker/pirate to be able to do anything with that encrypted value they would need to crack the AES encryption. And if somebody is able to crack your AES encrypted game data then they're a big-time hacker and would probably be better off using that skill to hack into banks and the NSA.
Of course, there are still other attack vectors, but mostly beyond the scope of my knowledge and into the realm of serious security programming techniques. The encrypted key might only work with one device ID, but people can hack their device ID. Could maybe fix that by adding Ouya ID to the encryption key. People can attach debuggers to their device and view the contents of your device's memory as the game runs to extract the encryption key. Still extremely difficult but technically possible. In the end, nothing is perfect... but you can still make a hacker/pirate's job pretty annoying and impractical.
Personally, I plan on AES encryption for locally storing my secure purchase data and leaving it at that.
Take some time and learn Designer-Friendly Programming 101.
I made the OUYA exclusive games Cube and Creature and Hellworm!
evgiz.net
The reason Ouya should support offline validation has more to do with how we want to change the industry rather than force consumers to do what is easy for us.
Ouya at this point is trying to gain developers and cant afford to impose a ton of restrictions and rules and lose any. They are still trying to get well established and its no secret. This is a controversial topic any way you look at it weather it be from the developer side, the customer side or even OUYA's side.
In the end, no one is twisting your arm telling you to do or buy anything.
A few high-quality, standards-compliant titles are better for OUYA than a thousand buggy shovelware ports.
I made the OUYA exclusive games Cube and Creature and Hellworm!
evgiz.net