I am concerned about the security issue with client api call from unity sdk.
I am login with LoginWithGameCenter from ios and updating UpdateAvatarUrl from inside.
And i have tried same thing with rest api from postman, i tried login with gamecenter id and get "SessionTicket" and then updated UpdateAvatarUrl right from postman.
So i am worried about if hackers/crackers crack game and know title id so he able to login with postman and directly modify any data using "SessionTicket".
Paying attention to how you manage your data security is always a good thing, but I'm not clear on what your specific question is. Any general-purpose computing device is vulnerable in the way you describe - if the app or game in question uses a server, the data being sent to the server can be changed. And even if you try something like encryption (above and beyond the SSL protection you already have), all the hacker has to do is change the data in-memory, before you encrypt and send it. For any popular game, it's not even a question of technical proficiency - hackers will post hacking tools online that require zero technical knowledge to use.
The best way to think about it is this: What level of security do you need for your app or game?
If there's minimal risk, don't worry about it - yes, players will cheat, but if there's nothing they get out of that like a prize (in-game or otherwise) or leaderboard ranking, it doesn't really matter.
If you need some, but don't require a high level of security - just checks on things like min/max scores, that the player isn't reporting results more often than is possible, etc. - you could have the client send its information to Cloud Script, and have secure, server-authoritative code there that checks for cheating.
If you want your game to be highly secure, you'll want to use a custom game server, and have it run the parts of the simulation that need to be secure, with the client providing inputs that you can check with any server-side security logic you like.
Also, at the simplest level, we recommend:
1. Profile your game and, prior to launch, using our Permission Policies (https://blog.playfab.com/blog/permission-policies) to turn off all the Client API calls you're not using.
2. Choose which data type you use based upon the level of security you need. Use read only data for things you want the client to be able to read but not update (you update it through Cloud Script or a server). Use internal data for things you don't want the client to even be able to see (like tracking on potential cheating).
3. Don't turn on the API calls we have off by default (have a look at the Settings->API tab). Things like Virtual Currency and Statistic changes will absolutely be cheat vectors if you expose those.
Hi Brendan
I wanted to remove my old developer key of my project, coz i m sure some one hacked my title id and developer secret key and posting data outside unity sdk and cracking data.
developer secrete : BJ3SESPU8P5G43YUUUJN4DIPNBO436JAKBXA1PPWRT49******
I also deny all client api from policy still hacking things, so i am very worried about security issue.
Please help in this matter asap.
Thanks.
Sorry, I'm not clear on the issue, here. You can remove the Secret Key anytime, in the Game Manager, in the Settings->Secret Keys tab. And you can turn off any of the Client API calls via the policy, yes. What exactly are you seeing that you're concerned about? What are you trying to do to keep your game secure?
Let me clarify what happened actually.
1) We initial release game with playfab and that build have old developer secret
developer secrete : BJ3SESPU8P5G43YUUUJN4DIPNBO436JAKBXA1PPWRT49******
in game and it's auto generated by playfab unity sdk and i can't able to find it in dashboard
2) Then there was tool in market to decompile unity games like DevXUnity-Unpacker magic tools, they give full unpacked resources from your game apk or ipa, by using that hackers read PlayFabSharedSettings.asset file and read Developer Secret Key. By that hackers posting it's custom data from postman
3) Then we taken one step and in another build we removed Developer Secret Key from PlayFabSharedSettings.asset and generated new production key from playfab dashboard
4) And i want to remove developer secrete because i cant find it in playfab dashboard and this key still working in server and admin calls, i want to use our newly generated production key from dashboard.
Ans:
Are you having trouble removing it via the Game Manager? = No we able to remove from game manager
Can you clarify what you mean about hackers decompiling the game? = See point 2
Did you ship the Secret Key in your build? = Yes
2 People are following this question.
