Roku Developer Program

Developers and content creators—a complete solution for growing an audience directly.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7

registry and possible security risk

I use the same source code for all of my Roku channels. Whenever I update my source code I also overwrite the existing source code in all of my channels. The only differences between the channels are the images and xml feeds. I just finished updating all of my channels with the latest source code and discovered that they all had access to the same registry entries. My understanding of the Roku registry was that each channel was allocated 16kb of storage and all of the channel specific entries were isolated from other channels. Unfortunately as I discovered today that is not the case. This has the potential of being a very significant security risk. Let's say that your channel retrieves a user name and password from the registry with the following code.

Function getStrValFromReg(keyname As String, section As String) As String
reg = CreateObject("roRegistrySection", section)
if reg.Exists(keyname) then
return reg.Read(keyname)
endif
return ""
End Function

username = getStrValFromReg("username", "profile")
password = getStrValFromReg("password", "profile")

There's a good chance that another channel may also use a "profile" section and a "username" or "password" key. If the channel's registry isn't concealed from other channels then that private information in the registry could be accessed by ANY channel. Are the registry entries supposed to be accessible by any channel?
0 Kudos
2 Replies
Highlighted
Roku Employee
Roku Employee

Re: registry and possible security risk

It's not 16k per channel, but per developer key. You should sign each channel with a different key unless they need access to the same registry space. From the Developer Guide:

Applications store their data separately and securely in a unique area of the system registry. Suites of applications can share registry data by creating each application’s package with the same developer id set of keys.
0 Kudos
Highlighted
Level 7

Re: registry and possible security risk

Well, it's a relief to know that the registry settings won't be accessible to other channels. Unfortunately I now have to go back and update all of my channels again with a new dev key. Smiley Happy Thanks for the tip.
0 Kudos