Hello, I made my first game and I have publish it to android ! I am thinking to also publish it to iOS and Facebook games or html5,
My question is how secure is my code in each of this platforms
Thanks
Incredibly, unless you use an incredibly robust obfuscator, but even that just makes the job annoying rather than impossible.
Yes, but this doesn’t even require source code access.
Any software that is exposed to a user can have its source code decompiled.
So they can find my secret api keys from source code ?
Is there any way to protect from changing private string and prevent them from pressing where they shouldn’t (disabled buttons)
Do not store your API keys in your source code.
No code that you execute on the client computer can always be tampered with
Some say Unity is less secure than let’s say UE since it’s MSIL and easy to decomopile.
But relaying on that is called security by obscurity and it’s naive and dumb
Code can always be analyzed. It may not be in the original form but that just means the person has to reverse engineer the machine code (or bytecode in the case of C# and Java) making up the program. Obfuscation only slows down the hackers with the least experience.
Both of these are completely possible. If you need data to be secure you need to store it on a server. Any data stored in a client is best treated as data that is compromised.
Only way to do it is with remote play, where the game runs on your machine (your server) and the player sends the keyboard input to the server and he gets the video output to his machine.
Like @Ryiah said, anything thats on a user machine can be hacked.
Every api service that uses keys has documentation bolded or yelling at you in some way not to store them on the client, and how to handle it securely. So you ignored that or didn’t bother to read the docs.
Strings are the simplest thing to get at, there is even a program called strings that literally comes with every version of linux and mac and from a free MS published tool on windows. So ya someone can take educated guesses at what services you use, or just peak at the network traffic via something like fiddler, then grab your keys as they are usually very easy to identify, and go destroy all of your data or alter it or do any number of bad things.
Try disassembling your own game yourself. It’s very easy to do, and it’s the best way to see first hand how easy your source code will be to access.
If you don’t want people to read your code, do not give your application to people. Develop server, or very limited streaming application.
Ok actually I put my api code in the plugin asset field (I assume this is the correct way) but what about my admob ids or if I want to add a send email function most tutorial need emaik password in script
You use a server.
Assume anything on the client can be read and changed by anyone.
Using a Mono backend build makes getting your C# source code trivial. IL2CPP means they won’t be getting back your original C# code with a single tool, but they can easily get assembly code or possibly C++. With a lot of work it is possible to get back the C# code, but unlikely anyone would put in the effort unless a tool has been created I’m unaware of.