About the encryption of resources

I have a question. How do you deal with resource protection?
I thought of the following:

  1. Implement a Loader by yourself, and then write and parse all resources by yourself.
  2. Use j3o, but other people can still read resources through jme3.
  3. Pack j3o into an encrypted zip? Then, the program decompresses the zip and reads it?
    You are welcome to post your thoughts, thank you. :slightly_smiling_face:

The question is always how much effort do you want adding inconvenience.

It’s impossible to 100% protect assets… so then you just have to decide how much is “enough”.

For most, j3o is probably enough. Especially if you have custom controls, the effort to read the j3o is not too far away from the effort to load your game in a JVM and extract the data from RAM.


I think , even with java you cannot access the files inside the zip without using ZipStreams ( i have gone through on android, it was not even encrypted) which extracts the zip file before doing anything , so for encrypting zipping will be the best choice if you have paid assets but also there would be possible performance issue & increased loading time , though you need to pack them again after the game finishes but if the game is actually not responding , your files are endangered because your project as decrypted them :stuck_out_tongue_winking_eye:,

So , I donot really know if you can attach your assets to an asset pack git private project & do runtimeOnly 'project:assets3.2' I didn’t try this , but I know that , some IDEs like IDEA can extract your libraries in a form of jar files (artifiacts) , should you try this & report ?

EDIT if you are building a game on android studio then you can use the Play ASSET Delivery API ( obb files) , that will do everything for you.



@Pavl_G but Jar can be just opened using zip.

Generally like Paul said, its impossible to 100% protect.

But what worth, would be customize j3o format yourself or customize VM(provided along with game) to do some hidden things. It would be high protect imo.


From a desktop focus:

Raw on disk: anyone can access it

In a zip: anyone can access it

In a jar: anyone that knows a jar is a zip can access it

In a j3o: only folks who know what a j3o is and how to access that in a JME application can access it. (A significantly smaller set of people than the above.)

Rename extension to .foo but it’s still a .j3o: only highly motivated folks who bother to look deeply enough to figure out that it is the same can access it.

…now we are already in the realm of “JME developer” level person.

.j3o/.foo with custom control: only a JME developer who knows how to link in your .jars into their custom app can access your assets

literally any other protection you can think of short of decription in the shader: a JME developer who knows how to run your application within their application and/or hook into your application (add a key mapping in input manager for example) can access and dump anything they want. (And note that decryption in the shader is only a ‘takes a little longer to figure out’ style stumbling block)

How much effort do you want to expend to work towards diminishing returns. Already a j3o cuts out most of the world’s population.


@Pavl_G @pspeed @oxplay2 Thank you everyone. These suggestions are helpful to me. I think I might write a custom Loader to load resources to protect resources. :+1: :slightly_smiling_face:

1 Like

Yeah, if it’s a desktop application that will add at least 30 minutes to the time it takes to get the resources out of the app… for a very motivated person.

1 Like

I remembered now my old development days , I was using windows & wrapping jar files to .exe with launch4j , but I thought now , what if you can do this with encrypted or encoded exe instead , I donot know really if something like that exists (it would be the same as running .sh with restricted permissions) ,

See ( I found they have encrypted jar for exes):


EDIT : Back in 2018 , I have coded an Electronic Test project , it was in swing , I was training on data hiding , AES , cryptography & java File IOs , so , in the password file , I encrypted it using AES but it was plain txt file , other data are hidden by a powershell script & changed the folder names to something like .~name when my java code is not using it , i remember this cannot be opened by the windows file manager , also you have the opportunity to work around for a powershell script to overcome this part by some permissions , but it can be opened in Linux .


Thanks for sharing! :+1:

1 Like

I thought the whole purpose of java modules was to give you the control of what is viewable from a user aspect?

If its not a public class in a public module wouldn’t it be unusable by others trying to hack?

Strong encapsulation—The packages in a module are accessible to other modules only if the module explicitly exports them. Even then, another module cannot use those packages unless it explicitly states that it requires the other module’s capabilities. This improves platform security because fewer classes are accessible to potential attackers. You may find that considering modularity helps you come up with cleaner, more logical designs.

1 Like

I suppose we talk about “resource encryption” not code and anyway accessibility have nothing to do with it.

but its still JVM that manage it right?

if someone would modify JVM he would still be able to access.

But again its same, nothing can be 100% protected, even Windows source once was back-step gathered as i heard.

1 Like

My bad.

I return you to your regular programming.

i feel like i did something bad :smiley:

guess we can continue code security topic here too, just mentioned that OP post was just about resources.

1 Like

No, that’s not quite the case… if you have modular code and you’re running your JVM with the standard module options, then yes, you can do some code hiding (though I look at this as more of a software design benefit than a security benefit - if someone untrusted is able to execute code unsandboxed in-process with your code you’re already in trouble). When someone else is running the JVM, it’s easy to bypass module protections and open up whatever you want to.