I use the same source code for all of my Roku channels. Whenever I update my source code I also overwrite the existing source code in all of my channels. The only differences between the channels are the images and xml feeds. I just finished updating all of my channels with the latest source code and discovered that they all had access to the same registry entries. My understanding of the Roku registry was that each channel was allocated 16kb of storage and all of the channel specific entries were isolated from other channels. Unfortunately as I discovered today that is not the case. This has the potential of being a very significant security risk. Let's say that your channel retrieves a user name and password from the registry with the following code.
Function getStrValFromReg(keyname As String, section As String) As String reg = CreateObject("roRegistrySection", section) if reg.Exists(keyname) then return reg.Read(keyname) endif return "" End Function
There's a good chance that another channel may also use a "profile" section and a "username" or "password" key. If the channel's registry isn't concealed from other channels then that private information in the registry could be accessed by ANY channel. Are the registry entries supposed to be accessible by any channel?
It's not 16k per channel, but per developer key. You should sign each channel with a different key unless they need access to the same registry space. From the Developer Guide:
Applications store their data separately and securely in a unique area of the system registry. Suites of applications can share registry data by creating each application’s package with the same developer id set of keys.
Well, it's a relief to know that the registry settings won't be accessible to other channels. Unfortunately I now have to go back and update all of my channels again with a new dev key. Thanks for the tip.