question

Thomas Brown avatar image
Thomas Brown asked

How often should I sync in app purchase data?

Our game is a single player / multiplayer game that will involve in app purchases such as unlocking characters and levels. Once these items are unlocked, players will be able to utilize said characters or pick said levels to play in.

I have been doing a ton of research on this, and I can't find how often I should sync / check my data to ensure players have the correct information, and are not gaming the system in anyway.

In short I guess my question is this. Would it be a bad idea if before the game starts every time I pulled the in app purchase data down to local storage and then acted upon that? Meaning once synced in the beginning of the game, every subsequent check (can I use this character, can I pick this level) would ask the local storage if these things are possible instead of asking the server every time.

Most likely I would pair this type of flow with some encryption on that local file to ensure it is not easily modifiable.

Part of the reason I thought this might be a good idea is due to us including single player. I keep getting stuck on what happens if a player wants to play the game and they have no connection to the internet? Surely they should be able to play with the characters and levels they have already purchased. If I had to query the server every time for this information I don't see how that would be possible.

Thanks so much for the help in advance! You guys have some stellar support.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

If by "app purchase data" you mean pulling down the player's inventory (https://api.playfab.com/documentation/client/method/GetUserInventory), that'd be fine, yes. Or you could just use the InfoRequestParameters in the login call to get that.

As to whether or not you allow offline play, that's a different question, really. Security for your game will come down to this - if it's client-authoritative, it can be cheated. Period.

Basically, you should decide where on the spectrum of security you want to be. At a high level (there are certainly far more options, but these are sort of the classic examples), it's:

1. Client can be authoritative about actions, rewards, etc. Allows for cheating, but also allows for offline play.

2. Client sends up commands that are used by a Cloud Script to determine the important things - scores, rewards, etc. Fine for games that only need to do this occasionally (a few times a minute), but does mean that the player must be online to play for anything that requires that check-in. More secure, though you're still relying on the client for much of the action of the player, so still some opportunity to cheat.

3. Client is connected to an authoritative custom game server that is in charge of game activity. Very little opportunity to cheat, apart from the inputs going to the server (which you can also check), but requires a rock-solid connection.

3 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sergey Rudenko avatar image Sergey Rudenko commented ·

Hey Brendan, I wanted to ask you within this question re getUserInventory - so If the game client syncs player inventory periodically (like on login and before every meaningful action that relies on inventory data) - we are sort of "safe" from hacks?

0 Likes 0 ·
brendan avatar image brendan Sergey Rudenko commented ·

That really depends upon how you're using the information. If you mean, you're polling the service for inventory data and then deciding what the player gets to do in the game locally, all I have to do as a hacker is intercept the data coming in and alter it, since the authority for the game logic is on my local device. SSL (as well as any added encryption you might want to use) is really only effective at preventing man-in-the-middle attacks. There are some pretty sophisticated libraries designed to help prevent cheating on the local device by doing things like obfuscating the data in memory or having a hypervisor that monitors for "bad" actions, but ultimately if the authority for the game logic is local, it technically can be cheated.

I should also point out though, that a high volume of inventory requests (like, if you tried doing this in Cloud Script, and were requesting inventory every few seconds that way) would be a violation of our fair use policy. If you need high security, a custom game server is going to be your best bet.

0 Likes 0 ·
Sergey Rudenko avatar image Sergey Rudenko brendan commented ·

awesome context - thank you:) I think in our game authority is server-side, so we should be good;)

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.