question

Thank you @Brendan for taking the time to answer my question .

Actually, upon contemplating about it.... there will be more than one number.

1. One random number, or better yet string, will be assigned to every player when they register.

2. The other numbers will be extracted every day from the pool of registered numbers ( numbers that were assigned to players on #1. These numbers actually pick random players , players which will win some kind of prize ofr their actions in the game. Much like a lottery if you will.

For example: Let's say I have 1000 players registred. Every player has a random string or number... let's stick with string. Player 1 has, in the database besides his name, email, age, "XK8379L34" , Player 2 has "G784UY5J4R" ..., Player 3 has "9IU7YTRAV" , Player 4 has "UI8T4AT5V"... and so on.

Day one: I check the actions of all players and from the pool of players that the boolean value of a certain action on the previous day is True I pick randomly a certain amount of players.

In my example lets say the pool of players that completed the tasks is: Player 1, 2 and 3.

I pick randomly 2 of the 3 generated strings,, and I get : "9IU7YTRAV" and "G784UY5J4R". In this case I award player 2 and player 3 a reward for being awesome :)

This is the basic functionality that I want to implement, probably the application will be build for Android and iOS.

I have searched and there seem to be some assets in the Unity3d Store that can securely register, login, send and get data from an MySQL database using PHP. Now I know that MySQL isn't the best choice for this ( I am expecting the application to have a massive following meaning 1000's of users connecting at the same time ( at least I hope it will ).

Besides this problem I am concerned about the following:

1. Securely Registering and logging the users in the app ( Google Login would be secure ) and getting their name, age, sex location and storing all in a database on the server. But this should be done with the user in mind , meaning the user should not take to much time on this .. ( one tap registration maybe ) <<--- how secure is the server you sent me the link for ?

2. Encrypting send and retrieve data + update user data from the server (NoSQL database maybe ? )

3. Scaling the application in case of over 100k users .

4. People disassembling the application and finding the secret key and ip of the server and cheating or creating DDos attacks + Man in the Middle attacks...

5. Cheating and changing values using Cheat Engine ( but that should not be the case given the fact that the client is only a dummy and everything should be done on only the server).

6. Deploying and update and push notifications ( If I remember correctly you already have that functionality in place )

That is about it for now.. sorry for the long response... :)

Waiting for your response.

Thank you.

Tudor

I see - thanks for the additional info. So what you want to do is:

• Have tasks the player can perform each day, for which they are entered in a "lottery"
• Once a day, pick one or more players from the set of those who completed that day's task, and give those players a reward

Okay, the first thing to understand is that our server hosting service is really for game session servers - not long-running processes. We provide a wide range of long-running processes directly, so that you can store all the player save data, inventory, statistics, etc. and have them available at any time. Using those components, you can easily set up a secure service for your players that would do what you have in mind. You can do this using your own server (whether running in AWS or elsewhere) together with our service data and PlayStream events. Your server will host the data of all players who have completed a task in a given day and will control the distribution of the rewards based on that, while you'll use PlayFab as the layer between your players and your server, to ensure security.

Once you have your server set up, the way to do this is to use PlayStream events. Basically, when a player completes the task in question, if you're setting a statistic, there's a built-in PlayStream event. Otherwise, you could use your own custom event. In either case, what you'll be doing is using that event to trigger notifying your server of that information for the player. You can do this either by using a webhook (Analytics->Webhooks), which will send all the event data to your server, or by using a Rule (Automation->Rules) to run a Cloud Script, which uses the event data (provided in the Context of the handler called) to send that info to your server via an http.request call (have a look at the basic Cloud Script, provided as revision 1 in your title).

So whenever a player performs a task, you would update your server with that info, populating the list which you would then use to do your "lottery" drawing. Because the client would only ever call PlayFab, players would not be calling your server directly (and you are correct that you should never, ever have a Secret Key in your client code, as that guarantees someone will get ahold of it in the wild and cheat in your game). You could then put cheat checks into any Cloud Script calls you make as part of this process, in order to help prevent cheating, and update those whenever you detect new cheating behaviors.

For the specific questions you raised:

> 1. Securely Registering and logging the users in the app ( Google Login would be secure ) and getting their name, age, sex location and storing all in a database on the server. But this should be done with the user in mind , meaning the user should not take to much time on this .. ( one tap registration maybe ) <<--- how secure is the server you sent me the link for ?

You can use our login API calls to log the player consistently into their user account. There are a number of good, secure login methods available - Google being one of them. For the data you are storing about players though, anything you store beyond what's in the PlayFab profile you'll need to build your own PII logic around, including accommodating the "right to be forgotten" rule for EU users.

> 2. Encrypting send and retrieve data + update user data from the server (NoSQL database maybe ? )

You can use any database that can accept a Web API call. The websocket method described sends a Push message to your server, while the http.request call in Cloud Script could be a Push, Post, or Get.

> 3. Scaling the application in case of over 100k users .

The PlayFab side of this can scale to millions of users without issues. I would highly recommend something like AWS DynamoDB (which does have a Web API interface) for the data you'll need to manage, so that you can scale it effectively to high usage levels.

> 4. People disassembling the application and finding the secret key and ip of the server and cheating or creating DDos attacks + Man in the Middle attacks...

Correct - as stated, you want to have our service be the middle-man for this, to protect you, and you should never have any secret keys in the client code. Anything the client has, hackers have.

> 5. Cheating and changing values using Cheat Engine ( but that should not be the case given the fact that the client is only a dummy and everything should be done on only the server).

You'll always have to consider ways the client could be compromised, but using Cloud Script as the middle layer lets you update that logic whenever you need to, to adapt to what you're seeing "in the wild".

> 6. Deploying and update and push notifications ( If I remember correctly you already have that functionality in place )

Yes, we have Push Notifications, and the Title News service gives you a simplified way to do Message of the Day type updates for your players.