[Unity] Masking client requests.

Question

question

Tahir asked Aug 7, '18

[Unity] Masking client requests.

Hello,

Sorry for my potentially noobish question but a user of my game was able to easily send me this screenshot showing me that they can read all the data I am sending.

While I do have checks in cloudscript to validate incoming changes, is there anything I can do to possibly obfuscate/encypt/hide what I'm sending? Or do I have to manually encrypt/obfuscate?

I am new to this side of game development so sadly I'm not yet well versed to solve it, I have been searching. I'm aware this may not even be a playfab issue.

CloudScript

screenshot-1.png (37.4 KiB)

3

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

akirachen commented · Aug 07, 2018 at 08:19 AM

Hi, may I ask which API are you using?

And it looks like a Chrome browser debugger, how can he get data from that?

0 ·

Tahir akirachen commented · Aug 07, 2018 at 02:11 PM

I may not have explained myself correctly. I'm just trying to find out if theres a way to mask the info from the debugger.

0 ·

Tahir akirachen commented · Aug 07, 2018 at 02:28 PM

My research seems to point out that there's no point in masking it seeing as a malicious user could always access it. (hiding it from scriptkiddies would be good too though)

At the time of posting this, I was using UpdateUserData, now I am using ExecuteCloudScript so I can validate requests.

But a few questions:

Couldn't a user just modify these values to submit their own altered scores? While I do have checks in the cloudscript they arent 100% foolproof and with some tinkering, the allowed ranges would be found I think.

Am I doing things properly and this is just normal behaviour of PF to Unity?

Thanks in advance.

0 ·

Answer 1 · 2018-08-07T20:02:00Z

Andy answered Aug 7, '18

Dealing with client-side tampering is an omnipresent problem. I would approach your game assuming that you're going to have users sending you faked data and that you shouldn't trust it. Push for a model where actual awards are granted by the services or script and the client just sends "actions" to be processed. The logic to process those actions is on the server.

Another way to approach it is attempting to identify your compromised users. You can set up segmentation rules to react to users that have statistics or properties outside the normal bounds of the game. You could then change your behavior when you encounter a user in one of these "cheater" segments.

This is a very meaty topic. There's lots you can learn with a little googling. I hope you're able to create a great experience for your players while also protecting them and yourself from the more mischievous sort out there.

2

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tahir commented · Aug 07, 2018 at 09:01 PM

Agreed as I have been doing some research.

My game rewards players for defeating enemies, at higher levels, they can do this quite often per second which I think immediately rules out sending each of those actions.

With that in mind, the conclusion I drew is to either store all "actions" and send them all in bulk at set intervals with some checks for validation. The same problem seems to arise though, a player can say he did more than he did and my checks can only go so far.

I am aware it's a very deep topic and each "solution" is unique.

0 ·

brendan Tahir commented · Aug 08, 2018 at 08:49 AM

When it comes to security for your game, it can be fairly complicated, but I can break it down into some fairly simple guidelines:

If you need little to no security, you can have the client update everything. People will cheat like crazy, but if your game has no competitive components and is ad-revenue based, you might not care.

If you need to have players connect to each other to play, but don't have any security concerns, you could use Photon Realtime or another relay service. Again, players could cheat fairly easily, but that may not matter to you.

If you need to have score updates or other records of the player be secure, and you only have occasional updates, you could potentially just use Cloud Script. That way, you could have server authoritative code checking the inputs from the client and rejecting cheated values.

But it sounds like you're in the last category:

You want updates to player data/stats to be secure, but you also want to have a high rate of those updates. In that case, you'll need to use a custom game server, so that you can have the high update rate to the client, and only occasionally update the backend data in PlayFab.

1 ·

question