Protecting Unity APK (why is unity apk so easily hacked, just unzip it, its hacked :O)

How can we protect our unity apk

using IL2CPP?
how to protect my scripts and assets. Ok assets are a curveball. You cant protect them 100%. I get it. But scripts? how do we protect our scripts. Obfuscation?
any tools? recommendations please?

To what level can we secure our apks?

  1. level1: impatient players trying to get rewards.
  2. level2 : lazy, unethical, corrupt developers who feed on success of other indie game and hackers-by-hobby
  3. level3: casual hackers
  4. level4: hackers who put out hack on internet and that is their source on income.
  5. level5: professional hackers

Kindly respond.

You seem to have not much experience in development, am I right? There is no way to protect code or assets to 100% if you ship it to the user. If it executes on the user’s machine it can be reverse engineered. Many people praise IL2CPP as some sort of protection though it’s not really. Yes it adds a layer of obfuscation which makes it harder to decompile and to make sense of the code. However in the end the code has to run on a cpu core. If it can run, it can be decompiled / disassembled.

Your “levels” just don’t make much sense and are of completely different categories. Cheaters are not hackers. 99% of casual users do not have the knowledge to manipulate the game. So your first category doesn’t really exist. Your second category seems to target a completely different issue that someone actually steals your content (code / assets). Every category that follows just are not seperate categories at all.

Asking for recommendations is out of the scope of UnityAnswers as this would lead to an never ending stream of opinion and discussion which do not belong here.

In general if you find a common “general solution” to prevent cheating, it’s actually easier for cheaters to break it since it’s a known technique and more likely that there’s already a general crack / cheat out there. For example many use something like the SafeFloat struct as mentioned here. If it’s known that this is used it’s just a little bit more work to manipulate the memory of your game. Since every SafeFloat has the same structure it becomes a common / known technique. Yes, it helps a little bit but as I said, there more people use this technique the more likely there’s already a solution against it.

The only real solution to protect your code is to not ship it at all and run it on a server of yours. However that’s impractical for most games (unnecessary internet requirement, latency, additional cost for traffic and hosting). Also designing secure / tampering proof API is quite challenging.