Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kavulix
Visitor
‎05-04-2012 04:17 PM

registry and possible security risk

I use the same source code for all of my Roku channels. Whenever I update my source code I also overwrite the existing source code in all of my channels. The only differences between the channels are the images and xml feeds. I just finished updating all of my channels with the latest source code and discovered that they all had access to the same registry entries. My understanding of the Roku registry was that each channel was allocated 16kb of storage and all of the channel specific entries were isolated from other channels. Unfortunately as I discovered today that is not the case. This has the potential of being a very significant security risk. Let's say that your channel retrieves a user name and password from the registry with the following code.

Function getStrValFromReg(keyname As String, section As String) As String
	reg = CreateObject("roRegistrySection", section)
	if reg.Exists(keyname) then
		return reg.Read(keyname)
	endif
	return ""
End Function

username = getStrValFromReg("username", "profile")
password = getStrValFromReg("password", "profile")

There's a good chance that another channel may also use a "profile" section and a "username" or "password" key. If the channel's registry isn't concealed from other channels then that private information in the registry could be accessed by ANY channel. Are the registry entries supposed to be accessible by any channel?
0 Kudos
Reply
2 REPLIES 2
RokuChris
Roku Employee
Roku Employee
‎05-04-2012 04:29 PM

Re: registry and possible security risk

It's not 16k per channel, but per developer key. You should sign each channel with a different key unless they need access to the same registry space. From the Developer Guide:

Applications store their data separately and securely in a unique area of the system registry. Suites of applications can share registry data by creating each application’s package with the same developer id set of keys.
0 Kudos
Reply
kavulix
Visitor
‎05-04-2012 04:37 PM

Re: registry and possible security risk

Well, it's a relief to know that the registry settings won't be accessible to other channels. Unfortunately I now have to go back and update all of my channels again with a new dev key. 🙂 Thanks for the tip.
0 Kudos
Reply