Hello, I have finished building my 2d game and the DB, one thing that concerns me is security.
My game app uses ads as points of currency.
so my app simply works like this.
Player watch add, he gets a point and that point allows him to play a level, without that point, player can’t play.
ads will be provided from google and Unity
Does google/unity api insert the coin directly to my DB “backend” or to player profile “front end”
the app DB will be stored in my server “backend”
can anyone crack the APK file and modify it to insert more currency.
and how to prevent hackers from injecting points of currency.
If your point logic is on the client you can only annoy them. If you need absolute security you have to put all your logic on the server. Some ad networks implement server side callbacks for rewarded ads exactly for that reason. So your answer is to insert the points in your DB directly.
Don’t be concerned about security. Be more concerned about visibility (marketing) as that is the one key factor deciding the financial success of most games.
Yes, exactly that. But only if you really need that security.
Be aware that this kind of setup does not scale well. The more users you have the more server power you will need.
Please consider that just because you add your points on the server does not mean it is unhackable. As long as the evaluation if the next level can be played is done on the client you are still allowing the hackers to circumvent it. To prevent this really, truely ALL (like every damn piece of logic) has to be done on the server.
thank you again, is there any way to calculate how much traffic each use before deciding on going that route, hosting everything on backend because hosting is not cheap either is hiring a good developer
I don’t have any experience with full server side games. I always do a mix (90% client + 10% server validation to annoy the cheaters). But I am sure it heavily depends on how often you send commands, how big your game state is and how often you sync it down.
To roughly estimate oubound traffic I’d look at the size of the game state in serialized compressed form and multiply that with the sync frequency. That would be your upper bound. Obviously that’s too big but it will give you a rough idea what volume of data you are expecting.
I’d guess that outbound traffic will not be your first problem. Server CPU power/RAM and internal traffic to your DB could be. Just imagine having 1000 players playing the game at roughly the same time. The server(s) will have to access the DB, keep the state in memory and run the logic for all of those. If your game is f2p, which I presume it is because of the ads you mentioned, then 1k players is not that many.
you have been a lot of help my friend I can’t thank you enough.
another annoying question, can you go more into the 90 frontend 10% validation on the backend?
I thought that calling only user info from the DB is not huge traffic or server components load.
Security from what? Ze Germans? Hackers? The government? What is your threat model?
If you’re concerned about the user ‘hacking your save files,’ or ‘cheating in your game,’ just don’t be. There’s nothing you can do about it. Nothing is secure, it is not your computer, it is the user’s computer. If it must be secure, store it on your own server and have the user connect to download it.
Anything else is a waste of your time and the only person you’re going to inconvenience is yourself when you’re debugging the game and you have savegame errors. Work on your game instead.
Remember, it only takes one 12-year-old in Finland to write a script to read/write your game files and everybody else can now use that script. Read about Cheat Engine to see more ways you cannot possibly control this.
The good news is that most likely nobody will care enough about your game to bother, so you’re safe.
And as far as stealing your code or assets, don’t bother trying to stop that either:
Listen to what Kurt-Dekker said. Skip Security for now.
The 10% was referring to validating user score on upload for highscore tables. Which I only did AFTER I got complaints (making me aware of the problem). Don’t do it unless you need it
