mgambrell avatar image
mgambrell asked

client API security feature requests

I am concerned about the security implications of my data structures exposed to hackers through the client APIs. Specifically, today I am evaluating the trading and shared data systems. I would like to broker all those transactions through cloudscript. When clients can call these APIs, it's impossible to build a secure system. I feel that playfab's overall design seems to be to let players mess up their own stuff, as long as they can't mess up someone else's -- but when it comes to communication between players, that plan falls apart.

So what I need is:

1. All client APIs on the server as well -- otherwise there's no choice but to let the clients have their way with my data

2. Disable individual APIs or groups of APIs on the client -- otherwise, my brokering through cloudscript can be worked around by hackers on the client.

To be clear, my overall plan is to remove responsibility for everything from the client to the cloudscript, and that requires being able to do it from cloudscript, and being able to eliminate the client's access.

#1 is more important -- right now, I can't even explore the trading system in detail because the APIs dont exist on the server.

#2 is an admittedly abstruse scenario, and one that can be fixed in due time. However it seems to be analogous to closing ports you aren't using, which would be a basic security practice.

I'm also concerned about the integrity of the inventory system. Hackers can choose any combination of items I haven't analyzed and populate their inventory with it. They could buy items in impossible and untested combinations, or stuff that isn't on sale yet. I need all this under my control.

apisCloudScriptShared Group DataTrading
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

Yes, security of games is a key reason behind why we have the different forms of user data (regular read/write, read-only, and internal), and why we added the permissions model for the Client API (so that you can turn off any or all of the Client API calls).

You’ll be glad to know that one of our intentions with the introduction of the permission policies back in November is exactly what you describe – to add all the rest of the Client API calls to the Server API, so that you can manage that logic in Cloud Script or a custom game server. We don’t have specific dates for those updates, but we will be working to prioritize them over the next quarter.

However, can you clarify what you mean concerning inventory? There is no API call to grant items in the Client API – clients either are granted items by server-authoritative logic, or else they purchase them via the PurchaseItem call or the StartPurchase flow. And if you haven’t set a price on an item, it’s not possible for the client to purchase it with either of those.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

mgambrell avatar image mgambrell commented ·

Awesome, that's great! Thanks, I'll explore that immediately, and look forward to the unification of the APIs. I'm embarassed that I didn't find that admin stuff. I suggest you call it out in the top-level documentation for the "PlayFab Client API Categories" with a tiny note like. "Access to these APIs can be controlled with link-to-relevant"

Regarding the inventories, I was just spitballing, for spectators and posterity, but I should have mentioned purchasing. Whatever I said applies to purchasing. But don't worry about it. As long as I can block the client from calling APIs, it's my problem to deal with. Thanks for the trick with the item pricing though.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.