question

CodeHunter avatar image
CodeHunter asked

Data Encryption for Player Data and CloudScript responses

Is there a way to encrypt data sent and received from Client API? Most particularly user data, because can see the data structure of the player data in JSON format using an app. The header is clearly visible if the player wants to send an API request separately, especially the data structure is revealed clearly to them. The same case happens when executing cloudscript from the game client (Unity) because I can see the JSON format of the result sent from the function.

This is NOT okay, because players can easily hack the backend service and modify their player data to their liking (infinite money, etc). I need the kind of encryption implemented on title data because when I tried getting the title data, I can't see the contents clearly instead of the readable JSON format.

CloudScriptPlayer DatadataTitle Data
1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

CodeHunter avatar image CodeHunter commented ·

EDIT: assuming that this isn't possible, is there a way to hide the header instead? API policy most likely can't be used here because I'm using an external service that requires API calls to read and edit player data.

0 Likes 0 ·

1 Answer

·
Gosen Gao avatar image
Gosen Gao answered

The main purpose of encrypting data is to prevent data leakage during transmission. PlayFab encrypts data transmission via HTTPS, so you don't need to worry about this. No matter what encryption method you use, the client will eventually decrypt the encrypted data to get the real data. So the player still will know what is the response. If you are worried that players can modify key data, you can disable the client APIs that can modify these data through API policy, and then modify these data through Azure Function or Cloud Script, and since the return value is set by yourself, please do not return important information as a result to the client.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

CodeHunter avatar image CodeHunter commented ·

There are API calls outside the game client using the same method and that is to edit the player data (UpdateUserData). If I disable the client API using the API policy, would it block the API calls from outside the game but using server API? The reason I haven't looked into API policy too deeply is because I need to prevent players from editing player data that's sent using client API from the game client, but I cannot block any API calls that is server API calls to edit player data from external services.

0 Likes 0 ·
CodeHunter avatar image CodeHunter commented ·

Also, would that mean that editing player value is restricted to admin/server API if I block the client API calls for player data editing?

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.