koobas.hobune.stream
Is Encrypted Playerprefs Safe Enough For Virtual Currency?
Hello there! So I'm making my first real Android game and I was researching about secure data storage for quite a while. I want to store things like virtual currency on the client side and I also want the process to be as simple as possible. I've found this on the asset store. Do you think it is enough to keep MOST players from altering their money and other important things? At first I wanted to use Soomla, but then I've found the thing above and I will be using Unity IAP.
most? maybe. ish. however, it only takes one person to get past it and make a solution available on the interwebs.
the code, even if obfuscated, can be used to break the encryption - you really need to have some sort of authoritative server handle those transactions. the client device can NEVER be trusted.
Maybe for a while, but it's not a good idea.
" I want to store things like virtual currency on the client side "
This sounds like leaving the lockpicking thief, with a lock to practice on. I recommend that you do NOT keep currency on the client side. Keep it, and all user stats, on the server.
If your user set gets large enough, some people WILL abuse it. Giving them with a file they can do whatever they want to, as often as they want to, is not going to help keep it secure.
If you keep it on the server (and adjust it ONLY with server-based code), then users will need to authenticate to access currency amounts, and unless they hack INTO your server, will NEVER be able to change the amount of currency they have (outside of the normal in-game-ways).
Yes. MOST players (ie: >50%) won't bother unless it's an online game. If it's strictly local single player, I wouldn't worry about the <5% who'd go and try to modify their files. However, from a security point of view, if you don't use online authentication and all the code to decrypt the currency is provided with the game, then a hacker has all the information necessary to hack it. Additionally, if using this currency is also not authenticated, then a hacker can trick the game into thinking it has "unlimited" currency without ever having to decrypt or encrypt the Playerprefs.
As a side note, since this is your first "real" Android game I suggest you not worry about this. This is considered a good problem to have. If you incorporate some sort of online leaderboard in which having unlimited game-currency will boost your score, you can just keep track of the leaderboard over time to see just how many people actually hack.
