Hei,
is it possible to modify some data and send it to playfab server?
Because i have important data which should not be changed by anybody...
Hei,
is it possible to modify some data and send it to playfab server?
Because i have important data which should not be changed by anybody...
Could you clarify the question? We require that SSL be used for all API calls to the service, specifically to prevent (as much as possible) man-in-the-middle attacks. But the data is coming from the client, and so a hacked client could be sending whatever data it wants to - that's why we recommend using server authoritative logic for anything that requires security. You could use Cloud Script or custom game servers, depending on the complexity of the server-side logic.
Okay, so lets say i have some data (integer values). I know that this data is secure on my device (it´s encrypted and cannot be changed on RAM...)
Now i want to send this data to the playfab server to store it in user data. Can anybody change this data? Can i prevent hacking with some techniques? (AES Decryption is not an option because i have to modify this data in the game manager)
Can anybody decompile my code and look how i send data to the server. Can this guy send "wrong" data to the server after compile my code again?
Maybe i´m too concerned, but if my game has a lot of players its a big fail when someone can hack it easily.
How does big companies protect themselves against hackers?
One of the more common attacks is to use a locally signed certificate to view the packets and so be able to compose your own calls (potentially using a tool they write themselves - no need to decompile/recompile your code specifically). The most secure you can get is to have all your game logic live on the server-side, so that the client is only an input and rendering device (and even then, you have to check those inputs) - that's specifically how the most secure games operate (and it is the most expensive option). What you need to do is decide how secure your game needs to be. Most casual games, for example, are fairly insecure - all the data lives locally (a good encryption library makes it harder for a hacker to modify the local data, but technically it can't make it impossible). In the case of those games, they're checking the player results when they're reported on the server side (scores and times are reasonable, etc.) before accepting the results. But if your game absolutely requires security, you should consider moving as much of the logic as possible into custom game servers.
Hmm, is it secure if I encrypt this data on my client with a secure key that the playfab server sends me over ssl? Or can this key be modified as well?
Well first, the data is on the local machine. Even with an encryption library, it's actually not technically possible to make that 100% secure. A sufficiently technical hacker would still be able to get to the memory and change it. Bear in mind that the client itself has to have a way to read the data - otherwise it's useless. So all the logic used to decode the data is on the local machine. Good libraries do exist that makes this challenging, but they cannot guarantee security.
So in terms of encrypting the data you send up, again, that's all taking place locally. So while you can encrypt things you write to player data, for example, and that will help to prevent less technical folks from manipulating the data, that cannot guarantee that the data cannot be changed locally.
Basically, if the data is on the local machine and the client can access that data, a sufficiently technical person can find a way to hack it. That doesn't mean you shouldn't use encryption tools such as you describe - they're a great way to raise the difficulty bar. But don't count on them being 100% effective.
3 People are following this question.
