Hello,
We are considering using PlayFab to keep track of virtual currency for players. But how can the app trust the REST API if it says the player has 1000 coins? A tech savvy player could intercept the call and change the reply to give themselves a million coins. How is the API secured ?
Do you offer the ability for developers to provide their own SSL cert, and use SSL pinning, to elimate man in the middle attacks?
Thank you
Apart from closed platforms with dedicated hardware designed to prevent modification (like modern consoles), it is not possible to completely prevent players from modifying their local machines to change values. That's why our policy is to not trust the client - the reason why Client API calls that modify virtual currency and statistics are turned off by default.
So rather than engage in a costly war of escalation where you build a higher wall and they build a taller ladder, we give you the ability to remove their ability to affect the result by moving the authority to the servers.
Take, for example, virtual currency. By default, the client cannot change the service's values in the player account in any way. Instead, he reports on gameplay actions, which you can check for cheating via custom game servers or Cloud Script, and reward the appropriate amount of VC based on the game's intended logic. And because all calls to PurchaseItem use the server's accounting of how much VC the player has, it makes no difference at all if the player modifies his local balance. He still can't purchase anything he hasn't earned the VC to buy.
