koobas.hobune.stream
Is Unity remote settings secure?
I'm looking for making my game communicate with a server with REST api. Assuming I want to use basic authentication (or maybe JWT Authentication), is it safe to use remote setting for the server url and authentications infos?
If anybody as already do that with an Unity game, any feedback are welcome :)
Thanks for the help.
Same question here. Since we can't just put the base URL and auth infos in PlayerPrefs, even more so as declared values of static variables, etc... and since Unity doesn't promote the obfuscation of developer codes, encrypted keys can easily be decrypted https://support.unity3d.com/hc/en-us/articles/205838999-Do-you-have-advice-on-how-to-obfuscate-C-code-
It'd be wonderful if we can use Remote Settings to hide those values. Has anyone tried using Remote Settings for this purpose? Is it secure enough for the purpose?
According to this Unity doc https://docs.unity3d.com/ScriptReference/RemoteSettings.html
The web service from which Unity downloads the Remote Settings configuration is read-only, but is not secured. This means that the configuration could be read by third-parties. You should not put sensitive or secret information into your Remote Settings. Similarly, the saved settings file could be read and modified by end-users (although any modifications are overwritten the next time a session starts with an available Internet connection).
I've yet to encounter some steps to replicate the issue on my end to verify it being not so secure though. :) Has anyone tried doing it?
EDIT: Anyone can read whatever is fed to the game from Remote Settings (or any other service) and vice versa by listening to the calls through Charles Proxy. https://forum.unity.com/threads/has-anyone-tried-reading-modifying-the-saved-remote-settings-file-on-client-side.533598/
