I am a bit confused about the titleID and client calls. What if a "hacker" writes his own java/android code that creates a user in my game (by using my titleID) and then uses an API call like AddUserVirtualCurrency to give himself lots of currency. Then, won't he be able to login into MY app with that user (since the user was added to the database) and use the currency he gave to himself?
Thanks to the team behind Playfab for this platform.
Well first, AddUserVirtualCurrency is turned off by default (as is the call to update statistics). So a hacker could only make that call if you explicitly turn it on.
In addition to the fact that the most "dangerous" Client API calls are off by default, I would highly recommend two things for your title security:
First, determine what your tolerance is for cheating. If your title has a non-trivial number of players, it's going to happen, so you need to be prepared for that, and either accept it or have ways to combat it.
Second, turn off all Client API calls you don't want exposed via the API policy (https://blog.playfab.com/blog/permission-policies).
That way, you can control all the things you want to via Cloud Script or custom game servers (dedicated servers). For everything else, you either need to be okay with a hacker making spurious calls to it, or you need to track on that using PlayStream events wherever possible, and segment cheaters into a group where you can either ban them, or just let them play with each other, without bothering the rest of your community.
1 Person is following this question.
