Safest place to store something like an encryption key in game data?

Hello.

Long story short, I’m creating a game with a custom server where users can upload/download levels and rate them, with user accounts etc, and I’m also using it as an example for a thesis I’m writing.

While I solved most of the security issues such as blocking hackers from stealing passwords etc, I’m still stuck with the rating part: in theory, someone could rate or download a level only once; but an hacker might find the procedure to send such files easily by tracking the $_POST data and after that, perform mass subscriptions and upvote/downvote several times a level, discouraging real users. Or, even worse, cause network congestion by sending terribly large files disguised as levels, several times per second.

To avoid this annoying scenario, I could make PHP script identify if a POST had been sent by the game or some hacker’s tools, but there is no straight way to do so (as far as I know)

So the best idea i came out with is to have a “security key” stored somewhere in the game and send it via post (encrypted). This should work as a safety check to ensure that a post had been sent by my game.

However, where should i store such a key? Cause an hacker could find quite easily an hard-coded password (or the key to decrypt it) or an xml file in the game data if he really wants to . And if i store it into a server and retrieve it, an hacker could do the same (or get it from the game data anyway).

Now: i know that mine is a game and not a banking system, so there is a point where someone can just “stop” trying and acknowledge the fact that trying harder is a waste of time compared to the needs.

Anyway I’d like to ask you guys if there is a really “safe” place in unity where i could store security passwords. Or just how to stay sure that a POST had been sent by my Unity game.

You have user accounts, so can’t you just verify if this user has already voted? Maybe use for each user a unique identifier instead of a simple ID, so a hacker can not just simply “try” posting with different ID’s and the identifier could also be matched to something like SystemInfo.deviceUniqeIdentifier…?

Hi
I already check if an user had already voted. As I explained above, the risk is not having a fake user liking multiple levels. The issue is having tons of fake users liking the same thing / uploading the same gigantic thing.
As for SystemInfo.deviceUniqeIdentifier, it wouldn’t change anything as the hacker could easily use a random value.

How can a user fake like or downvote if you always sending his user credentials / a valid session id with every request, so you can validate that it is a valid request from your application.
The question is how reliable is it that the users you have registered are legit users.

Actually it’s the same thing I said from the begin but with different terms.

Simply, the hacker could perform a POST to create an account with a “fake” app. Multiple times a minute. Then with the same app use such credentials do the rest. It’s supposed that if the hacker is smart enough to replicate the subscription method he can also authenticate (even with encrypted data) and send trash to the server like nothin

Well, there’s just so much you can do. If it’s client-side,in theory it can always be decompiled and reverse-engineered. Server-side you can take better measures. First, if it is so easy to automatically create tons of fake users and then abuse these apparently unverified users to make tons of fake votes with a legit session-ID within minutes all from the same IP, then there’s not a lot of verification in place. It shouldn’t be possible to create so many users in the first place. How do you handle those sign-ups?

Actually it’s 100% possible with fake applications. You’re understimating what an hacker can do. I could do such a thing by myself too if i wanted

What you can do is require a authentication via Email + a Capture that the user has to solve.
Without that the user account is not active and can not make any requests.
That will slow “Hacker” down a lot.

Its a question of ho much effort you want your normal users to get trouw to get a failsafe system running.

It wouldn’t work, since there are also “unregistered” users in my game (basically an hidden script which requests and gets an ID and password from the server). Did you ever play geometry dash? There you can upload levels and vote without even registering. My game is the same in such terms.

That’s why I’m not looking for solutions bond with my game logic.

Steganography (hiding code in an image). Unity game TerraTech uses it. You can share images of vehicles you created. Code is hidden in the image to allow the vehicle to be loaded into the new user’s game. The same technique can be used to hide keys.

I’m sorry, but that would be the worst idea ever! Steganography is just as breakable as anything written in clear! So if someone can get the code (which is exactly what i’m scared of), he could easily find the image (maybe even easier) and decipher it in a matter of minutes.

Even if i protect it with a password, the hacker could easily find it as he could find the security key i was talking about on the first post, and even if i store it on a server he could decipher it.

Sorry, not suitable at all.