question

Kim Strasser avatar image
Kim Strasser asked

Many unknown players/devices in Game Manager

Today, I opened Game Manager and I searched for most recent logins and I got this list:

I'm amazed about these unknown player logins because I am the only one who uses my title account and I wasn't logged in the last days. I don't understand how a stranger could log in with his device.

It wasn't the first time that an unknown player logged in with his device. Some time ago, another stranger was logged in:

And last year:

androiddevice 35DAEE0ACAF77C3B
Jul 16, 2019 3:48 PM	350 days ago	United States	$0.00
androiddevice 1061A2E9F8EF5190
Jul 16, 2019 2:20 PM	350 days ago	United States	$0.00
androiddevice 8FF83F78D72EEC4F
Jul 16, 2019 2:18 PM	350 days ago	United States	$0.00
androiddevice 351DA2ED76E1D00F
Jul 16, 2019 2:18 PM	350 days ago	United States	$0.00
androiddevice D58CC3F9A7AC4FD9
Jul 16, 2019 2:18 PM	326 days ago	United States	$0.00
androiddevice 8C855655C9F7A03
Jul 16, 2019 2:18 PM	350 days ago	United States	$0.00
androiddevice BF8732709EFC844E
Jul 16, 2019 2:18 PM	350 days ago	United States	$0.00

How is it possible that a stranger can log in with his device? I have not distributed my game in the App Store.

game manager
bildschirmfoto-2020-06-07-um-150023.jpg (436.5 KiB)
bildschirmfoto-2020-06-07-um-150034.jpg (36.3 KiB)
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

The thing to bear in mind is that PlayFab is a Web API base service. So you can easily open Postman, for example, and make valid calls to your title - that's actually a very handy way to test. In your case, since the game hasn't been released yet, someone would need to find your Title ID somewhere, or guess it, in order to make any calls to the title. Looking at your previous posts, I see that your Title ID is in at least one, so that's probably the source.

In general, this isn't really a concern. If there's no incentive for someone to make calls on your title, it's unlikely they'll continue to do so. The things to bear in mind are:

1. Yes, you can make the Web API calls via generally-available tools, and as the client devices you're shipping to are general purpose computing devices, they're easily compromised. So anything you want to be secure in your game should really have server-side logic controlling it, either in Azure Functions Cloud Script or by using hosted custom game servers.

2. Before shipping your game, it's a good idea to profile all the API calls you're using and turn off all the ones you're not, using the API permissions policies. https://community.playfab.com/questions/33774/is-it-possible-that-a-player-updates-his-playfab-d.html

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.