question

zeke avatar image
zeke asked

What is the "Developer secret key" in PlayfabSharedSettings?

It doesn't match the secret key we have for server or admin APIs, and it doesn't match any other key shown in the playfab dashboard. Does the client API use an autogenerated key? What generates this field and what is it used for? Is it shown anywhere in the dashboard?

apisAuthentication
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1807605288 avatar image
1807605288 answered

Hello everyone. It is good that you are concerned about the security of your title and your game, and I have carefully tested the situation you're asking about.

Here's the line of code that is concerning to everybody: https://github.com/PlayFab/UnitySDK/blob/master/ExampleTestProject/Assets/PlayFabSDK/Shared/Models/PlayFabSharedSettings.cs#L12

You can note the conditions where the value exists, and when it does not:
#ifENABLE_PLAYFABSERVER_API||ENABLE_PLAYFABADMIN_API||UNITY_EDITOR

UNITY_EDITOR exists anytime you're in the editor itself. And that's why you can still see the value.

I've tested this condition in the past and determined it's safe for client builds.

You can repeat my steps like this:

  • In the EdEx panel, ensure that CLIENT is the only enabled API. (Entity can be enabled or disabled, it won't affect it either way).
  • If you read all your local EDITOR files, such as the scriptable object, you'll see that developerSecretKey continues to exist. This is expected.
  • If you make a client build, and enter the resources folder, open the <your_game>_data/resources.assets file in a binary hex editor (I used Beyond Compare 4).
  • Search for your titleID, and it should clearly appear in the file, and you should see most of your other PlayFabSharedSettings values there. DeveloperSecretKey will not be there.
  • Search other binary files, and you should not find any other PlayFabSharedSettings information
  • Thus, you can confirm that you've found the right place in the right file, and that you won't accidentally publish your server secret to your clients.

This was tested earlier this year, with Unity 2017, a little before the release of 2018.

[UPDATE] I just retested with 2018.1.0b13 (My home computer is slightly out of date), and found that this is still true. I also made the test instructions a little clearer.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

trisibo avatar image trisibo commented ·

Well, just checking that ScriptableObject's code would have made that clear to me in a just a few seconds instead of losing my time, and worse, making others lose theirs. I don't know why I didn't do that first. Thanks, and my most sincere apologies, @Paul Gilmore and @Brendan

0 Likes 0 ·
pfnathan avatar image
pfnathan answered
24 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

zeke avatar image zeke commented ·

It sounds like the implication is that it's the server+admin api key - if that's true, why doesn't it match the API key that's shown in the playfab dashboard, the one we use for our other tooling?

0 Likes 0 ·
brendan avatar image brendan zeke commented ·

The developer secret key should be your Secret Key from the Game Manager. It sounds like you're saying you're seeing something pre-populated, which shouldn't be the case. What exactly are you seeing in your developer secret key in your project?

0 Likes 0 ·
trisibo avatar image trisibo brendan commented ·

I also have the "DeveloperSecretKey" in the "PlayFabSharedSettings" asset, after just selecting the studio in the editor extensions. I only have the client API enabled (no admin, server, etc.) From what you said, I assume that key shouldn't go anywhere near a public build; however, the "PlayFabSharedSettings" asset is in a "Resources" folder, so it will be added to builds with the key inside. What should I do in this case?

1 Like 1 ·
Show more comments
Show more comments
dreadwolf avatar image dreadwolf zeke commented ·

I am also interested in knowing how to deal with PlayFabSharedSettings in the Resources folder. I need ENABLE_PLAYFABADMIN_API to be enabled in editor and I was surprised when I realized admin calls also worked in play mode and on device. I could turn off ENABLE_PLAYFABADMIN_API when we ship, but I think the developer key would still be compiled into the app because it's in the Resources folder. I think I will need to fix this unless someone confirms that it doesn't work the way I think it does.

0 Likes 0 ·
dreadwolf avatar image dreadwolf dreadwolf commented ·

Oops, I meant to reply to @Trisibo. Can't figure out how to fix it.

0 Likes 0 ·
Show more comments
Show more comments
Denzie Gray avatar image
Denzie Gray answered
@Brendan

Is this issue still in effect? The project has the Developer Secret Key and I don't see anyway to remove it. I assume it is stripped out on build - is that not the case?

Using the latest Editor extension

6 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image brendan commented ·

What issue are you referring to? The Unity build will only contain the Secret Key if one of the flags Paul mentioned is set in the code.

0 Likes 0 ·
Denzie Gray avatar image Denzie Gray brendan commented ·

@Brendan I was just asking for further clarification because in an older thread you mentioned a removing the key when I asked something similar despite the key being auto-generated.

0 Likes 0 ·
brendan avatar image brendan Denzie Gray commented ·

Yes, you should always make sure no Secret Key is shipped in your project. Since we support a wide variety of development engines and languages, the specifics of that are going to vary from project to project. If you're using our Unity SDK and Editor Extensions, the info from Paul above would be the right guidance.

0 Likes 0 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.