Can Unity code be exploited? Concerned.

Just read this. Does Unity have exploitable code? Can the devs make sure it doesn’t please?

http://www.watoday.com.au/digital-life/consumer-security/android-apps-leaking-personal-banking-details-20121023-282sj.html

The security vulnerabilities in question are programming errors. The applications did use cryptographic algorithms in a invalid way.

For instance, they did not check the SSL-key of the host they were talking with, so any valid SSL key was accepted. If you write code like that, its only you who is to blame. No general purpose library can protect you from using their APIs in a wrong way.

When you read the paper linked in the news report, you’ll see that the researchers only checked the validity of SSL usages. Injecting code was then possible because the application trusted the attacker host and accepted the new code.

For you this means:

  1. If you do not use SSL, you are safe.
  2. If you use SSL, do it right. Use the
    paper as a guide on what do to.
  3. If you do NOT allow to load code via
    the net, you are safe from malicious
    injections.
  4. If you DO allow external
    code, check that it comes from a
    trusted host.

No one will be able to protect you from your own programming errors.