Safety conditions

Hello
Our team has a few questions about safety conditions. Could you please clear for us this point. I try to discribe:
Can you advise something in order to guarantee access to the API only from your application? I mean, a way to securely store a private key on the client in your application.
Does overwolf have some kind of protection against hacking our application? Well, so that it could not be changed and send fake data via our API. Is there any way to counteract the cheats of the players in the game?

Hi,
I’ll try to answer.

  1. In terms of guaranteeing access to your APIs from the application - it is similar to a web page - there is no such guarantee you can make - someone can see the traffic being sent to your servers and mimic it.
    Also, like a website - you can embed an iframe to your server that will perform server-side rendering and calls to any internal APIs.

If you still want a local application (not server-side rendering) that accesses the API (which is usually a better choice IMO) - It’s a game of making things harder to perform external API calls - for example, requiring user authentication, using a proprietary protocol etc…

  1. Yes, all applications that are uploaded to https://console.overwolf.com have a meta folder created with signatures for all content of your app. The Overwolf client then validates these signatures when the application is loaded.

Disclaimer, anything can be cracked - it’s just a matter of how hard and worthwhile it is for the person.

Hi!
Our team has a couple more questions about the overwolf application:
Can we store a private key inside the application?
Where is the storage where the private key is located?
In what format and where will the application be located on client pc?

Thank you in advance for your support and explanation.

Hi,
You can store a private key inside your application - however, it is a very poor security measure.
Even if you encrypt it inside a packed executable, if it is worth the effort, someone can extract it.
Storing a private key on the client side is never a good solution when trying to hide it from the client user.

If you choose to store it - you have multiple places, here are two I can think of:

  • a file in your app (js/html/json)
  • embedded in a plugin dll in your app - which can be loaded by the app and read