question

martinliu1993 avatar image
martinliu1993 asked

How should security be implemented when performing client calls?

What is the correct way to allow clients to modify their user stats while maintaining security?

Currently, we have a server that monitors game events. When a game event triggers (gain exp for example), the server notifies the clients to run game logic code that calculates how much exp should the client gain. Then, the clients make a server API call to PlayFab to increase their exp.

Correct me if I'm wrong, but I think this approach has security flaws because clients may hack the game to increase as much exp as often as they want by abusing that Server API call.

As a potential fix, I've heard of people talking about letting clients Execute cloud scripts, and perform game logic there. However, our game logic for calculating how much exp/stats and stuff are quite complex and I would prefer not having to move them into Cloud Script code and instead leave them as in game logic.

Another possibility is that for everytime clients make a Server API call to PlayFab to change their exp, the clients tell the server to do it instead. The server would use the client's PlayFab credentials to login and update user stats. However, I don't know if this is possible.

What is the best way to enforce security when clients are executing API calls?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Well first, can you clarify "the clients make a server API call"? Under no circumstances should the client be able to make Server API calls directly. If they can, that means they have the Secret Key for your game - which in turn means that a hacked client could do severe damage to your title, since the Secret Key gives them the ability to make any Server or Admin API call.

As to your question, you would ideally either have a custom game server that submits the statistics, or else use Cloud Script. In the case of a custom game server, it could be the authority for the whole game session, making it so that there's very little you have to trust the client for, apart from inputs. But using Cloud Script, you could also have logic that checks if the score is within a reasonable range, if the player is reporting a new set of statistics in less time than it should take to complete a level, or anything else that might help to identify cheating. But anything for which the client is authoritative can be fairly easily compromised by a hacker - hence, the reason the Client API version of UpdatePlayerStatistics is disabled in games by default.

6 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

martinliu1993 avatar image martinliu1993 commented ·

For custom game server, it sounds like we need to ship 2 versions of our game. One will be a server build containing the secret key. It will contain the PlayFab Server API. The other one will be a client build not containing the secret key. It will contain the PlayFab Client API.

The clients should never have to update stats, so API calls like UpdatePlayerStatistics will remain disabled as is default. This is because generally the server decides game state and updates player data on the server, and thus will use server API to update. The updated data will be replicated downwards to clients using Unreal networking for display.

On client API side, the clients will only ever make getter API calls to update their UI.

Does this sound like the correct flow? The downside to this is that we need 2 separate builds, but it should handle security issues.

0 Likes 0 ·
martinliu1993 avatar image martinliu1993 martinliu1993 commented ·

For P2P, since players are hosts, we might just disable PlayFab and not allow for achievements or online stats. Skills and whatever however will be customizable for the play session only based on whatever user wants

0 Likes 0 ·
brendan avatar image brendan martinliu1993 commented ·

Yes, we'd recommend having separate builds. Technically, it's possible to set up a single project that has two different targets, so that you can isolate that data from one or the other, but the 100% safe route is to make them separate, so that there's no risk of leaking the Secret Key. Then you would only have the server version of your game running on servers that you directly control (whether hosted with us or elsewhere).

0 Likes 0 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.