question

Talha avatar image
Talha asked

[Help] Saving game data offline( sync with playfab), security risk

Hi playfab. I have a question.

i am building a simple 2d unity game. I would like to know about saving the game data (offline).

I have read the brilliant documentation and so far Absolutely loved the service.

but im in a deadlock right now.

Question: How to save the data offline.

Scenario: i have a couple of different boosters in the game(i.e booster1, booster2, booster3),

so far what i have in me mind is to save everything( coins, Booster1_amount, Booster2_amount, Booster3_amount) on cloud(playfab) but it has limitations. Like player needs constant internet connection to play(with boosters).

how to solve this problem? I want to make the boosters available to the player even offline.

i can save the data( the amount of each booster player has) on the device of player and use it whenever player is offline and when he goes online again sync the data. (the most common solution).

But then comes the issue of security what if somebody hacks into the files (the files encrypted by unity).

Is there any other option? simpler one, with no additional cost. No new server required.

Exact Scenario: player plays the game,he is connected to the internet, he's got 10 boosters. he uses 3 boosters, remains 7, (**)we update it on playfab instantly. All good. he closes the app. opens it. he's got 7 boosters. he closes the app. turns off internet. opens the app. what now?

if i am (**)saving the game data on an encrypted file on device, then whats the point? how to avoid this security loophole? I am updating both playfab and encrypted file.

Player Datadata
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jital avatar image
jital answered

Greetings,

I believe this forum post, contains helpful information regarding syncing offline data with PlayFab.

30 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Talha avatar image Talha commented ·

I had already read it when i posted the question :'(

0 Likes 0 ·
jital avatar image jital ♦ Talha commented ·

There are a few ways to go about syncing offline data, it seems you would like to do it without having to use an external server or incurring extra costs, so it seems your best option would be to implement some reasonable checks in Cloudscript. What information are you specifically looking for that is not contained in the linked post?

0 Likes 0 ·
Talha avatar image Talha jital ♦ commented ·

Hi, yeah nothing specific but i wanted to be sure that if i am saving data locally (encrypted using unity) and updating the data on playfab aswell, is that a good way to go about? security wise.

0 Likes 0 ·
Show more comments
Talha avatar image Talha commented ·

So for instance if im rewarding players first player to complete the game wins 5000 pounds. etc its not a good practice to save data on players mobile device.right? So for best security should i put everything on playfab? and use let the game be playable over internet?

0 Likes 0 ·
brendan avatar image brendan ♦♦ Talha commented ·

If you literally mean you're going to provide a cash prize in your game, my advice would be that nothing short of hosting the simulation in a dedicated server (custom game server hosting) is going to be sufficient security. And even then, you'll need to consider all the ways the client could report untrue data or use data the server is passing down to cheat.

But that said, if you are offering prizes with real-world value in your game, you're going to need to get advice from your legal counsel on what the requirements are going to have to be, to minimize your risk.

2 Likes 2 ·
Talha avatar image Talha brendan ♦♦ commented ·

haha we dont have no leagal counsel Brendan mate.

"you're going to need to get advice from your legal counsel on what the requirements are going to have to be, to minimize your risk."

what do you mean by this?

If we are only using cash rewards to players based on their rank in the leaderboard (its a single player simple 2d unity game, imagine candy crush with cash rewards)

do we need a custom game server?

by putting everything on playfab i.e virtual currency( coins) and using cloud script to do all the implementations.

would cloud scripts be secure enough?

0 Likes 0 ·
Show more comments
Talha avatar image Talha commented ·

The gameplay is simple. The cash reward is a weekly or monthly thing. Its is based on the Highscore static leaderboard. The cash rewards will be done by basically through email (doing it by hand, manually). Well take their emails and get bank details through email. But we will not be giving away cash rewards all the time. Some players will get rewards after a month or small prizes for top ten players weekly type thing. we are basically splitting the revenue with players.

now as far as the gameplay is concerned the game is an endless runner type game. where players are not concerned with anyother player other than the leaderboard.(that is the only connection).

So far what we want is Virtual currency to be updated thru cloudscript, all the stats to be updated thru cloudscript. Nothing else. I hope you get my point.

What could be the issue tho? legally? is it not allowed or something? I barely have money to get the apple and android accounts :'D. dont know if i can afford a lawyer.

0 Likes 0 ·
brendan avatar image brendan ♦♦ Talha commented ·

Again, I can't advise you on any legal topic. The reason we can't is because if we were to advise you on something from a legal standpoint, that makes us liable if you get into legal trouble or sued. So we have a strict "no legal advice" policy. You'll find that most companies do (certainly all the large ones).

As far as security, it sounds like you're saying that the gameplay is client-authoritative. So, I play the game, with the local device controlling everything about the experience, and then at the end of gameplay I upload that to the service. You could conceivably build some cheat checking into a Cloud Script, but that would not prevent a hacker from submitting falsified data using a couple of throwaway accounts, to determine what your script is going to allow as a "max", and then use a third account that hasn't had anything rejected make calls that submit maximized scores that will pass your test. I'd even throw in a small amount of randomization, if I were to do it. It would take a lot of effort on your part to catch that.

Put another way, yes, that would be easy to cheat. You should really host the gameplay on custom game servers, if you need it to be highly secure.

1 Like 1 ·
Talha avatar image Talha commented ·

I dont know the first thing about custom game servers. Is it relatively easy to implement. What is the cost? Is it available in essential tier? :'/ Ill also look it up in the documentation and get back to you.

0 Likes 0 ·
Talha avatar image Talha Talha commented ·

are there any up to date video tutorial?

0 Likes 0 ·
brendan avatar image brendan ♦♦ Talha commented ·

Here's the link to the docs for servers:

https://docs.microsoft.com/en-us/gaming/playfab/features/multiplayer/servers/

The cost is the actual hosting cost in Azure, if you're using our server hosting. The newer server hosting is in private preview, so it's available to Indie, Pro, and Enteprise tier customers, but it'll be in public preview soon. The legacy server hosting is available to all tiers.

1 Like 1 ·
Show more comments
Talha avatar image Talha commented ·

so custom game server is the safest bet i guess.


"It's still possible to write a tool to automatically play the game, even if it's not client-authoritative, but that's at least a bit more difficult."

what do you mean by that?

0 Likes 0 ·
brendan avatar image brendan ♦♦ Talha commented ·

Here's an example of a robotic rig built to play Wordament (https://www.youtube.com/watch?v=YrSKFnSg3bU). This is significantly more complicated that what would be needed to cheat at most infinite runners, since they wouldn't require anything other than tapping the screen in the same place, at the right time. For image processing, in the case of Wordament the rig has to process the screen to determine the letters that are available. Most runners would only need the rig to watch for upcoming changes in the "floor", to determine when to tap. As I said, this is harder, but it's not impossible. The thing to bear in mind is that the amount of effort (and money) people will put into cheating is strongly influenced by the benefit they can get from doing so. Since folks will go this far just to get to the top of a leaderboard, you should expect folks to be willing to invest significantly more if they can get real-world value from the game.

0 Likes 0 ·
Show more comments
Talha avatar image
Talha answered

Yes it CP is still there. We are providing CP. Plus we have developed some Cheating mechanisms like
time taken to reach highscores. check lives, if user has enough lives to even update highscore stats in cloudscript. ban players then etc. All stats updated thru cloudscript. Everything was going 100% fine till 3-4 days ago.when I found out about il2cpp modding in detail. bummed me out for a while.but Its good that we can obfuscate control flow of app and other quirky little things. I hope that will buzz off most of hackers but dedicated ones will still able to crack it. I guess that's fine cuz we are using alot of different stats for validating the Authenticity of players.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Talha avatar image
Talha answered

@Brendan I know this post is lengthy but i have to some last questions please.

IF the gameplay is based on swipes, SWIPE UP, SWIPE DOWN, SWIPE LEFT, SWIPE RIGHT to play. you have to do it frequently. Without delay. all happening continuously and Highscore is being updated with "Time".

This is my understanding now after all this. We use CGS the Gameplay code runs on azure server.

player gives the input (i.e swipes). what should we do with the variable "Highscore"? See everything is being done to protect this variable so that we dont have to do manual webcam video chat will players to ask them to prove their expertise of game for cash rewards. My understanding is we run the variable of server and update it on server and then update the stat.

But is it tightly secure? i.e Is custom game servers 100% secure. i know cheating is possible on how we are validating the inputs from players but about cgs, is CGS 100% secure?

nothing comes to the server except inputs. right? and when the user request booster in the game like e.g Speed up the game we check everything and then in gameplay code update the speed.

How do we track the swipes (if the player beats his previous highscore the swipe data is updated).

e.g IF there are several players we have to swipe to protect them etc. where do we store the info about swipes in playfab?

If all the answers are yes then one LAST thing "Latency". As the game is real time, if there is even a delay of 1 second during game. Its all lost. Appeal of game will be lost. So can we overcome this issue of latency so that game executes flawlessly without any delay.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.