koobas.hobune.stream
Security and crypt
Hi, i'm a new unity developer, i've a question for my app security. The first question is, when my app is compiled(apk, ipa) is 100% secure? there is a way to encrypt a string with a pubblic key and sent it to the server(aspnet with ssl) for decript whit private key? this question because i've a an idea for game online where user can win real money. for this reason the data send and received to server must be 100% secure and uncraccable. Thanks
Security is a broad concept... If what worries you is encrypting your outgoing traffic, then one way would be to use a secure connection (HTTPS) and connect to it from the game using the WWW class. Of course you need to make your server resistant against hacking and DDoS attacks, as security of a system is as strong as its weakest link and if the application makes real money, somebody will try eventually to hack into it.
And truth is, nothing is 100% secure.
thanks for the reply, so even if I make the server secure, it remains the risk of cracks of ipa or apk and then access the link to the API right?
Obtaining the link to your server is actually quite easy; you need only to have some tool that records outgoing URLs for http/https calls. The important thing is to encrypt the traffic in a way that allows both content confidentiality (no eavesdropping, i.e., listening to what you send) and trust (no impersonation, i.e., no sending of fake information by third party applications that are not yours). Of course, this topic far exceeds the Unity Answers. :)
In fact, my idea is to use public and private key between unity and servers for cifrate response if unity permits, but if you can unpack an build app the public key would be stolen
The communication should never be the real problem. The important thing is, rule No1: "Never trust a client". The client is not under your control, never! Strong security can never be implemented on the client.
Also there are two security concerns:
A third party attacker tries to intercept the traffic and manipulate the data.
The client itself tries to manípulate the data.
Transportation security such as HTTPS only works against the first kind of concerns. You can't do anything (100%) against the second.
While the transport of the data from client to server is more of less secure, what data the client sends is not. No one would try to "hack" into your API. $$anonymous$$ost hackers would simply decompile / alter your app to do what they want.
So all crucial decisions should be made on the server. The client just provides input. Don't tell the client secret information beforehand. For example behind which door is the prize.
You need more defensive program$$anonymous$$g
@xxstefanoxx: The point of the public key is that it can be known to the public. With the public key you can encrypt data which can only be decrypted with the private key. This only secures the transportation, not the client system.
