Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kavulix
Visitor

registry and possible security risk

I use the same source code for all of my Roku channels. Whenever I update my source code I also overwrite the existing source code in all of my channels. The only differences between the channels are the images and xml feeds. I just finished updating all of my channels with the latest source code and discovered that they all had access to the same registry entries. My understanding of the Roku registry was that each channel was allocated 16kb of storage and all of the channel specific entries were isolated from other channels. Unfortunately as I discovered today that is not the case. This has the potential of being a very significant security risk. Let's say that your channel retrieves a user name and password from the registry with the following code.

Function getStrValFromReg(keyname As String, section As String) As String
reg = CreateObject("roRegistrySection", section)
if reg.Exists(keyname) then
return reg.Read(keyname)
endif
return ""
End Function

username = getStrValFromReg("username", "profile")
password = getStrValFromReg("password", "profile")

There's a good chance that another channel may also use a "profile" section and a "username" or "password" key. If the channel's registry isn't concealed from other channels then that private information in the registry could be accessed by ANY channel. Are the registry entries supposed to be accessible by any channel?
0 Kudos
2 REPLIES 2
RokuChris
Roku Employee
Roku Employee

Re: registry and possible security risk

It's not 16k per channel, but per developer key. You should sign each channel with a different key unless they need access to the same registry space. From the Developer Guide:

Applications store their data separately and securely in a unique area of the system registry. Suites of applications can share registry data by creating each application’s package with the same developer id set of keys.
0 Kudos
kavulix
Visitor

Re: registry and possible security risk

Well, it's a relief to know that the registry settings won't be accessible to other channels. Unfortunately I now have to go back and update all of my channels again with a new dev key. 🙂 Thanks for the tip.
0 Kudos
Need Assistance?
Welcome to the Roku Community! Feel free to search our Community for answers or post your question to get help.

Become a Roku Streaming Expert!

Share your expertise, help fellow streamers, and unlock exclusive rewards as part of the Roku Community. Learn more.