Brendan Vanous
started a topic on Thu, 30 October 2014 at 11:29 AM
How secure is the method http://api.playfab.com/Documentation/Client/method/UpdateUserStatistics for posting scores on leaderboards?
Brendan Vanous
started a topic on Thu, 30 October 2014 at 11:29 AM
How secure is the method http://api.playfab.com/Documentation/Client/method/UpdateUserStatistics for posting scores on leaderboards?
Best Answer
Brendan Vanous said on Thu, 30 October 2014 at 11:29 AM
All calls to PlayFab use SSL, which does make them reasonably secure against man-in-the-middle type attacks. However, one thing to always bear in mind is that it?s easy for a technically savvy user to hack the local client to modify messages. For that reason, our feeling is that messages coming from the client cannot be entirely trusted.
In the case of statistics, we originally only released an API method to write stats from a game server, specifically because of that lack of trust. Shortly after that, we added a client version of the call in response to developer feedback. Basically, some title developers let us know that while it?s possible for users to alter the stats being sent, that wasn?t really an issue for their scenarios. We did put in one additional step though, to make sure developers only do this if it?s what they really intend: To enable the client call, the developer must set the ?Allow Client to Post Player Statistics? option in the Game Manager for the title (under Settings->Properties).
So while the client-side UpdateUserStatistics call can be used, we wouldn?t recommend doing so for any scenario where players want to be ?better? than others in those values, such as leaderboards which are presented in-game. In those cases, it?s not so much whether or not players will cheat their statistics ? it?s just a matter of how quickly and how often they will, and how much work you?ll need to do to police your community. Instead, we would recommend using server-side logic to evaluate what the correct values should be, and then submit those values as statistics.
1 Comment
Brendan Vanous said on Thu, 30 October 2014 at 11:29 AM
All calls to PlayFab use SSL, which does make them reasonably secure against man-in-the-middle type attacks. However, one thing to always bear in mind is that it?s easy for a technically savvy user to hack the local client to modify messages. For that reason, our feeling is that messages coming from the client cannot be entirely trusted.
In the case of statistics, we originally only released an API method to write stats from a game server, specifically because of that lack of trust. Shortly after that, we added a client version of the call in response to developer feedback. Basically, some title developers let us know that while it?s possible for users to alter the stats being sent, that wasn?t really an issue for their scenarios. We did put in one additional step though, to make sure developers only do this if it?s what they really intend: To enable the client call, the developer must set the ?Allow Client to Post Player Statistics? option in the Game Manager for the title (under Settings->Properties).
So while the client-side UpdateUserStatistics call can be used, we wouldn?t recommend doing so for any scenario where players want to be ?better? than others in those values, such as leaderboards which are presented in-game. In those cases, it?s not so much whether or not players will cheat their statistics ? it?s just a matter of how quickly and how often they will, and how much work you?ll need to do to police your community. Instead, we would recommend using server-side logic to evaluate what the correct values should be, and then submit those values as statistics.
