cloudweight avatar image
cloudweight asked

How would I handle a virtual currency online and offline?,Some questions about integration with PlayFab.

So I'm planning to have a virtual currency in my game. You can of course use this to purchase in-game items and what not. The user will also be able to purchase more of this virtual currency using real world money through PlayFab.

My question comes when the user is offline. Obviously they won't be able to purchase anything through PlayFab but they will still need to have access to their virtual currency when playing the game. My thoughts were something along the lines of..

When online

  • Use PlayFab to securely initiate an increase and decrease in currency.
  • Locally keep a 'lastValidCurrency' that is only updated by PlayFab directly when online.

When offline

  • Use the 'lastValidCurrency' value when offline.
  • Once the user is online again, we check 'lastValidCurrency' against the server value returned by PlayFab. If the currency doesn't match then we update 'lastValidCurrency' to the server value.

Obviously this will work for the most part, but a determined cheater will disconnect his internet, change the money value, purchase the items he wants, then reconnect to the internet. His money will rollback but he gets to keep everything he purchased.

How would I go about defeating something like this?


Hi, I'm interested in integrating my game with PlayFab and had a couple questions about how things are done and also some practicality questions.

So I will start with my general question first.

  1. I am a developer that solely owns my studio by myself and I develop games by myself on single user licenses and the PlayFab Essentials plan looks like a good starter plan. So let's say my game starts to gain traction. At what user point (mau) will I need to upgrade my plan?

And now some case use questions.

  1. My game currently has a problem with people cheating virtual currency and items because everything is stored locally. I've tried encrypting my files but this only goes so far since the game key has to be stored in the game code which is accessible to anyone with reverse engineering knowledge. So what I want to do is store everything in the cloud (on PlayFab) and only be able to update the values securely at intervals when playing. So onto my actual question, is PlayFab good at handling something like this? I would be storing a virtual currency, items, and other things of value which can be purchased on a secure storefront or earned from in-game activities.
  2. I was reading the documentation and it seems PlayFab has a ticket based authentication kind of system correct? Is this ticket completely secure? Meaning can I safely use this ticket as a means of verifying game content or is there a high possibility a ticket can be faked?
  3. I guess this is kind of a sub-question to the question above but can I use PlayFab to also authenticate a user and allow them to play on a game server or should I stick to something like using Steam's Authentication Tickets? Obviously pirate's exist and if they are allowed to access my game's online servers by getting past the system then it would be a problem.
  4. This is kind of a weird one but, I was looking in the documentation about receipt validation and I only see references to Google Play and IOS. Does receipt valiation only work with these platforms or can we use them for other IAPs?
Player DataIn-Game EconomyPlayer Inventorygame manager
1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

cloudweight avatar image cloudweight commented ·

ahh I guess my two threads got combined into one..

0 Likes 0 ·

1 Answer

brendan avatar image
brendan answered

Since the second post is really a superset of the first, I'll address the whole thing here. For when to upgrade tier, there are a couple of things to think about:

First, there's the question of features needed. The higher limits in the indie and pro tiers enable a broader range of features, as well as give you the tools you need to support rich LiveOps (player segmentation, events, etc.).

Second, there's the question of risk tolerance. The free (essentials) and indie tiers have no Service Level Agreement of private support. Without MAU-based revenue, our options are fairly limited for how we can help you. So while we work hard to make sure the service is stable and reliable for everyone, if your title is doing something non-sustainable due to a bug in the game code, a hacker attacking the game, etc., we may have to restrict it in how it can talk to the service, so that other titles aren't impacted.

For the rest of your questions:

1. Your game is trusting the client to be authoritative for the data locally, including items and VC. There is no way to prevent cheating in that model, as the player is in control of the data. Encryption adds very little to the security, since the local client must have the code needed to encrypt/decrypt the data. We provide a range of secure services that are designed for the needs of games, like our economy system. Using it, you would use VC, catalog, receipt validation, inventory, etc., using our API calls, and so make sure that players are only getting things they pay for. But it is the case that this security comes with the limitation that the player only gets to have those interactions if they're online. If you want to provide an offline game mode but still want to have a secure play experience (so that you can have things like competitive leaderboards), I'd have to recommend you make those two completely distinct game modes. Offline data is for offline play online, while secure gameplay is online only.

2. No authentication system verifies game content. Authentication is about verifying a securing the identity of the player. We integrate with a wide range of authentication systems, including Steam auth tickets. The thing to do for auth is to pick the login systems that make sense for your game (device ID, tickets/tokens from Google, Steam, Facebook, etc.) and use those integrations.

3. We provide game server hosting and a matchmaker that provide you with the means to securely connect players to your custom game servers (including if you use external server hosting).

4. We provide receipt validation for iOS, Android, Amazon, and Windows, as well as entitlement consumption (their receipt-like system) for Xbox Live and Playstation Network. We also have integration with non-receipt payment systems from Facebook, PayPal, Steam, and Xsolla.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

cloudweight avatar image cloudweight commented ·

Thanks for your help! I chose PlayFab because it seems a lot more user friendly than GameSparks aand I like your pricing for indie's better.

I've decided to have two different modes like you've recommended. An online mode that stores all user data online. Then an offline mode that stores all user data locally. They will be completely separate, however I'd still like to offer offline modes be able to purchase VC if they are still connected to the internet. Although there is a chance a user can cheat the VC, I'd still like to have the option. Does something like this seem feasible?


0 Likes 0 ·
brendan avatar image brendan cloudweight commented ·

For offline play, the one issue you'll run into is syncing the data from offline play to the saved state. If, for the offline game, you only use a player data KVP to store the info about the player's inventory, you could send that and the current VC balance from the client on login, and have a Cloud Script that does some basic sanity checks on that. But sure, in that model, there's no reason not to sell the player VC - you will get plenty of cheating, but you'll also have some folks who are honest. The key is just to prevent the cheaters from ruining the game for the honest players, so not having competitive leaderboards or anything else that might cause the honest players to feel disadvantaged by obvious cheating.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.