Hello Unity Community!
I’m developing a 2D game that will be for Android and IOS (eventually). I’ve built a level editor within my game, and I’d like to have it so users can (1) Log into the game, (2) Create a level, (3) Upload that level to my server, and (4) Download and play other users levels. I have step 2 done, and have made a script that stores the created level into a file.
My concern here is that on Android with it’s very easy to open an APK and edit the files within. Although I don’t care if they can mess with values and code of the game itself, I want to prevent users from being able to destroy/overwrite other users files on my server by changing the code so they appear to be another user.
Can you see an easy way of securing this? Or is there a simple way to encrypt the entire app?
What you could do when a user uploads a level, link the level to the user in a database. Associate the level with the user ID so when other users try to overwrite a level they can’t do it because the level isn’t linked to their account/user ID. Always do server side validation, never ever on the client unless it’s something like checking if an input field is filled in. If someone decompiles your game they can see where data is sent to and received from, but they still can’t overwrite levels without finding a way to fool your webserver. The idea is to make this as hard as possible so 99% of the people give up. When someone still manages to get through your security it’s time to find out how he got in and fix the leak.
Also, you could give every user a unique token every time they log in and every time they send data to the server. The user has to tell the server what token he has so the server can check in the database if it matches. Without a token or with an expired token the server denies your request. Ideally I would combine these 2 methods.