Hi @alex11paulescu , @CodeSmile
We appreciate your questions and concerns!
I’ll attempt to respond by providing the explanations (that I am aware of) on why RC chose not to include cache encryption so far:
While encrypting cached data is not too difficult to implement, various concerns have prevented the use of encryption for cached data:
- Performance & Simplicity: Encryption and decryption processes can add overhead to read and write operations and complexity to the implementation
- Resource Efficiency: Encryption typically requires additional computational resources, such as CPU usage. (This might be issue especially on resource-constrained devices)
- Compatibility: Some caching systems or platforms may not support encryption natively or may have limitations on the encryption algorithms that can be used. (For the Android platform, this is especially true.)
As a result, we recommended that users attempt to avoid storing sensitive or important data in the cache file.
The way the RC works is that upon initializing, cached values are loaded by default, and then only if the RC fetch call is successfull, those values will be overwritten, cache file included.
To your point, that would enable the possibility of changing the cache file on the device while the internet is unavailable, but as soon as the RC fetch call is successful, values will alter as you mentioned.
It’s worth noting that similar cheating could potentially occur even if the cache data were encrypted.
Hackers could intercept and modify the requests between the game client and the Remote Config service, bypassing the cache entirely.
You are bringing a good point, as while encryption can enhance security, a comprehensive approach would be needed to prevent cheating - including encryption, integrity checks (checksum or timestamp as @CodeSmile suggested), and even maybe a server-side validation.
Unfortunately, it might not be evident when a complete solution including encryption for the cache data can be put into place given the priorities and resources that are currently available.
Once again, thank you for your input. We will absolutely take this feature into consideration.