- Home /
Singleplayer PlayerPrefs hacking - Inevitable?
So, I have a much too familiar scenario here:
I am creating a singleplayer game (for iPhone) that keeps track of player's inventory (goodies collected throughout the various game levels), in-game credits, experience points, and so on. I might even have some IAP items.
Unfortunately, what I keep hearing from the Unity user community is that users will always find a way to compromise the saved game data (Remember, I am only talking about singleplayer games here). My monetization strategy is to keep the game free while relying on the IAPs to generate much-needed revenue. So, here's a few questions I badly need answered:
What is the BEST method to save and load sensitive player stats for single-player games? (I know there's size restriction with PlayerPrefs but I am only worried about the security aspect of it for now).
Would the above "best method" be still vulnerable to player hacking?
Is there anyway to at least ensure the integrity of IAP related data?
Any tips/advice will be much appreciated!
Commenting here cause I'd be curious to know the answers too :)
The only size restriction for PlayerPrefs is in the web player.
Somethings about this matter are clear to me and others don't. Can we go back to basics and illustrate how a bad intended player mess with the data stored in playerprefs? $$anonymous$$y doubts are mainly about the scope seen by them. It is the keys and values in playerprefs or any actual code handling it in our games?
I$$anonymous$$PORTANT NOTE ... SecuredPlayerPrefs seems to no longer be live (the dev seemed to disappear! sad) .. but look for other alternatives for sale in the asset store. Hope it helps
FWIW for anyone reading this
There's now a package in the Asset Store for a few dollars,
that completely does encrypted PlayerPrefs...
http://forum.unity3d.com/threads/157606-Secured-PlayerPrefs-Release
hope it helps!!
Note --- what @asafsitner says below. Yes, the key has to travel (obscured) with the app. (Any decent programmer will know how to obscure the key really well.)
using unity's PlayerPrefs .. utterly useless, a non-starter
using encrypted PlayerPrefs (such as this package the guy made, "Secured PlayerPrefs") and properly knowing how to obscure a key in the compiled app ... 99% solution, good enough for all but banking
As @asafsitner poitns out .. sure, it's not an ABSOL:UTE solution. But serious, proper encryption of the prefs, with a properly obscured key, is pretty much all you'll ever need even for the biggest-selling games.
(hell, get the key from the server if you think that helps - of course, that's EQUALLY unsecure if you're talking at at theoretical level: when you adopt a strategy "get the key from the server", of course, teh damn app then CARRIES WITH IT THE ABILITY TO GET THAT $$anonymous$$EY - heh. So it comes down to obscuring THAT passwd.)
honestly does it matter if a game save (for single player) is hacked?? every game ive ever played has been able to be hacked/modded/cheated..
its up to the player whether they play fairly or not
Answer by asafsitner · Nov 18, 2012 at 08:42 PM
Encryption wouldn't help, since you'll have to store the key with the game, and it's the same as not having a key at all, only with additional overhead for decryption of the data.
Hiding it in plain sight (PlayerPrefs) is gambling, and since Unity is quite popular people know where to look for it's things.
I think the only feasible way is to have a server - could be a small web server, could be custom-made (possibly more optimal since it has no widely known vulnerability unlike web servers, and requires custom hacking solution) - and a database and hold the data there, only sending to the player what he absolutely needs (**always sanitize your input!**).
If you want to protect data from the end user, don't ever give him direct access to it.
But using a server to send data forces the player to be online while playing, which is annoying
The constant war in Security vs. Comfort.
It's truly annoying, although many people using an iPhone have internet access in some form or another, via 3/4G or wireless.
It's possible to store encrypted data locally - without the key! - and only send it to the server periodically for synchronization, but as I said, the most secure way is to never store your data on the front-end.
So, I was under the impression that the ONLY secure (or almost secure) way to keep the data integrity is to hook up with some sort of server-based services. Does anyone know who are the major players when it comes to hassle-free data save/load services?
I'd check out with **Player.IO**. They have a database solution, a CDN solution, a micro-transaction solution... they even have an API for Unity! And their costumer support is great from my experience.
Since you're not using a lot of bandwidth and being single-player is presumably light on server load I think you will find their plans very lucrative. You might even be able to get away with the free plan for a while :)
So, I think I heard enough to confirm my fear - and that is to say PlayerPrefs will/can be hacked one way or another. I will need to explorer subscription-based services (including asafsitner's suggestion) to ensure the player data integrity.
Please feel free to add more thoughts/insights to this thread. $$anonymous$$uch thanks for all the helpful input.
Your answer
Follow this Question
Related Questions
do player preferences get deleted if an iphone app is updated 1 Answer
Simultaneous Android and iOS development 1 Answer
Ran out of trampolines of type 2 - iOS 2 Answers
Device Auto-Rotation 1 Answer
Ampersand in application name 4 Answers