Is the client API secure?
I was experimenting with Playfab in one of my unreal engine projects, and I am unsure as to how secure the client api transactions are. I presume that the client side api is the only api that can be called by people playing my game, however once again I question its security. Am I wrong and/or are there any tips anyone can give me to help me make data more secure? I am referring to player data, such as something like weapon skins in a shooter game.
Best Answer
Can you please clarify what you're asking? The Client API calls are secure, in that a Session Ticket is required to call them. The Session Ticket is returned to the client as a result of any Login... API call. Without a valid Session Ticket, the Client API calls will not work.
We also provide a secure commerce service, so that if you're using any of the integrated payment providers, you can be sure that players aren't getting items they didn't pay for, and any virtual currency purchases are correctly subtracting the VC from the player account.
If your question is, how do you know that the data coming from the client is not compromised, the answer is you don't. That's not possible on a general purpose computing device. It is relatively simple for a hacker to either a) decompile your title code and insert their own logic, or b) make calls to PlayFab directly, using the available API endpoints (starting with Login, to get a Session Ticket). You should always assume that anything coming from the client is suspect. We provide custom game server hosting and Azure Functions Cloud Script integration so that you can have server authoritative logic. We have a few write-ups of this in various posts in this forum that you may want to review, such as:
https://community.playfab.com/questions/12831/methods-to-reduce-the-likelihood-of-cheating.html
https://community.playfab.com/questions/10618/how-to-prevent-cheaters-from-being-rewarded.html
@Brendan That does make sense. What I'm really wondering is: is the admin/server api useable on game clients? For instance, if someone buys my game, will their version of the game only call client api functions?
No, the Server and Admin API calls require a Secret Key, which you should never let anyone outside your team have access to. If a Secret Key is ever leaked by someone in your team, you can always invalidate that key in the Game Manager and generate a new one for any server-to-server calls you make.
I should also point out that a good security best practice is to use the API policy to disable all the Client API calls you're not using.
Is the dev secret key we add to project removed during runtime?
