How to keep Android public key more secure with SDKBOX IAP?

taikhoan113 · July 16, 2015, 4:22am

As Google tell us should keep public key more secure .But with SDKBOX IAP. we have to show all in sdkbox_config.json file .
Is there any better way on this to keep IAP public key more secure ? And could we get C++ code for SDKBOX IAP for secure custom ? As currently SDKBOX just only provide .a file for C++ lib .
Is it safe if we implement IAP for our game the way of SDKBOX IAP ?
Thanks & Best Regards,
Tai

nite · July 16, 2015, 5:30pm

We’re planning to have encrypted sdkbox_config.json in 1.2.1

You can add comments about the feature here

taikhoan113 · July 17, 2015, 3:17am

Thanks for your reply .

But how can we get C++ source code for libPluginIAP.a and libsdkbox.a then check & build lib by ourself .
I see and notice that the lib send tracking data to your server without notice to game developers as below :
Tracking http://metrics.sdkbox.com/?{“CDID”:“67452301EFCDAB8998BADCAAA0325476C3D2E1F0”, “CocosVersion”:“v3”, “ProjectType”:“cpp”, “SdkboxVersion”:“sdkbox V1.1.5”, “SDKBoxIAP”:{“version”:“1.1.3”,“cocos”:“v3”,“language”:“cpp”}} sent

That not fair as Cocos2dx is quite open source .

nite · July 17, 2015, 3:59am

Yes I understand your concern, Yes we’re tracking who is using us and what version are developers using, and we disclose all the data we’re collecting. http://cocos2d-x.org/sdkbox/privacy and as you can see we’re strictly obey what’s in the privacy policy.

The data we collected is really helpful for SDKBOX and cocos2d-x because we need that to convince third party SDK provider keep supporting(paying) us.

And it’s because the support we got, we are able to hire more people to work on the SDKBOX and keep making our plugins easier to use. We did provide an open source plugin approach, that is plugin-x, but it’s really a failure, because we’re engine developers and nobody wants to maintain third party SDKs which are constantly updating.

cocos2dxer002 · July 17, 2015, 4:22am

@nite,
So is there any schedule to open source of SDKBOX?

nite · July 17, 2015, 6:04am

There is no plan to open source SDKBOX as if now.

stephenyu · November 16, 2015, 8:04am

I checked the Trello board and the encryption feature was moved to 1.4.1 milestone. My SDKBox installer file was downloaded from Chartboost plugin page and it say in the page that the version was 1.4.1. But when I run “version” command in terminal the version is 0.5.7.24. I cannot found the “encrypt” command there. How could I make sure the SDKBox I am using is 1.4.1?

nite · November 16, 2015, 6:14pm

We have encryption on our remote configuration service, it’s going through internal testing right now. Will be available in two weeks.

jtrinc · August 25, 2016, 3:32am

hi @nite, just wanted to follow up on this. I noticed the Trello card was archived, is there another way to en/decrypt the JSON configuration other than using LiveOps?

nite · August 25, 2016, 6:04am

You should be able to download a encrypted version of sdkbox_config from LiveOps. and use it locally, if that’s what you want.

lazycat1711 · October 29, 2016, 5:24pm

hi,
i can’t find way to download encrypted file from liveops

nite · October 30, 2016, 9:02pm

We’re tweaking the encrypted file downloading function, right now.