dwojda avatar image
dwojda asked

How to grant an item securely?

It is advised to grant items to the user through CloudScript rather than Client API calls. In my game I want to grant an item to the user when they win a match. I don't know much about security and I am afraid that even when I do this through CloudScript, the client still can be hacked and the hackers can execute the function granting the item through the ExecuteCloudScript request at any time.

What is the proper way to grant an item after some event in the game so that such a way cannot be exploited by hackers? I am working in Unity3D if that matters.

CloudScriptIn-Game EconomyPlayer Inventory
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

That's going to vary from game to game, but the key point is that a hacked client could send any data at all to any of the API methods. For a player-versus-player match to have server authority, there must be logic in the cloud that can fairly evaluate the player's moves.

If that's a turn-based game, you can record starting state information about the game in User Read Only Data or Shared Group Data (making sure not to add players to the shared groups directly), and then evaluate the game state to determine the new state (making sure to only accept input from the player whose turn it is) in Cloud Script. There's a forum thread here where we talked about that in detail, as well as how to use Photon Cloud for matchmaking:

If your game is realtime, like a shooter, RTS, or RPG, you'll need a custom game server or Photon Enterprise, as you need to have server logic which can process actions and update the local state in realtime, updating the user data in PlayFab when key events occur, and at the end of the session.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dwojda avatar image dwojda commented ·

The matches in my game are offline. The user fights with AI.

0 Likes 0 ·
brendan avatar image brendan dwojda commented ·

In that case, the client is fully authoritative over the results of the match, meaning that a hacked client could do anything it wants to. At a minimum, you should report results of the match to the service via Cloud Script, and in that script, check things like the time elapsed from the last time the player reported a session completion (to see if enough time has passed for the report to be accurate) and how many points the player scored (to make sure that's within bounds of what's possible). Again, depending on your game specifics, the checks that you use in Cloud Script to look for cheating will vary quite a bit. But in this case, you should plan for the case where the client is sending bogus results, and put in any checks you think are reasonable. You can always update the script over time, so that when you do find a pattern of cheating, you can put in some logic that looks for it specifically.

1 Like 1 ·
dwojda avatar image dwojda brendan commented ·

Thank You! That is exactly what I wanted to know :)

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.