Hello.
I’m trying to figure out the best and most secure way to keep user data (accounts, money, items) for a multiplayer game on mobile.
Here some ways i thought:
Remote Database: Seems the safest to me, the only way to change the data (if there are strong security checks before doing anything) is to breach into the database and modify it. On the other way users must registrate first and even if it is about 20 seconds i saw that the majority of the games doesn’t have a login/registration screen, so i guess it is not a good idea for the mobile market.
BinaryFormatter: Having a file encrypted on the local storage, maybe on persistentDataPath containing all the user data. I don’t know how much safe is it.
BinaryFormatter + Checksum: Here is one way i like, basically when the file is modified trough the game (when the game saves current data) I generate an unique key (SHA256) and save it on a database. On the startup and sometimes at runtime I check if the local file SHA256 value is the same as the one in the database, if it is, nothing was changed, if it is not I throw a data corruption error.
Am I on the right way? Which should best fit a mobile game? There are other ways?
Thanks!
If you keep data locally, users may modify it and you may not sync their accounts between devices. The only option is remote database. You may register users automagically assigning them user id on first connect or using their google / apple / facebook / whatever socilal id they login with into your game.
Thank you for your answer.
But how could I do that (i would like to stay away from socials) without bumping up a login/registration screen to the users?
I understood auto-registering them on their first start of the game, but where should I keep this login ID to allow them login on next sessions?
I thought about a file stored on the device, but if users can modify data they can also modify that file with the ID inside.
Hmm, what about storing the SystemInfo.deviceUniqueIdentifier ? Associating it on the Database so on every startup the client sends the device identifier and retrieve his data.
What do you think?
Thanks.
yes. that’s what passwords are for. user can write any id to login id file, but cant login with just any id because he can’t know secretly generated password of other user unless he steals the file from him, but that’s cops job, not yours.
Oh okay so you say saving on a file (maybe BinaryFormatted) an ID and a hashed password.
On startup the user get logged in by those values, so if he modify something he will simply not get logged in.
That’s really a cool idea, I’m just wondering about if someone have to change his device, maybe I will integrate a “register” function that also saves the email if the user have to change that.
Or simply, users can save the account file and put them on their new phone.