Singleplayer PlayerPrefs hacking - Inevitable?

So, I have a much too familiar scenario here:

I am creating a singleplayer game (for iPhone) that keeps track of player’s inventory (goodies collected throughout the various game levels), in-game credits, experience points, and so on. I might even have some IAP items.

Unfortunately, what I keep hearing from the Unity user community is that users will always find a way to compromise the saved game data (Remember, I am only talking about singleplayer games here). My monetization strategy is to keep the game free while relying on the IAPs to generate much-needed revenue. So, here’s a few questions I badly need answered:

  • What is the BEST method to save and load sensitive player stats for single-player games? (I know there’s size restriction with PlayerPrefs but I am only worried about the security aspect of it for now).
  • Would the above “best method” be still vulnerable to player hacking?
  • Is there anyway to at least ensure the integrity of IAP related data?

Any tips/advice will be much appreciated!

Encryption wouldn’t help, since you’ll have to store the key with the game, and it’s the same as not having a key at all, only with additional overhead for decryption of the data.

Hiding it in plain sight (PlayerPrefs) is gambling, and since Unity is quite popular people know where to look for it’s things.

I think the only feasible way is to have a server - could be a small web server, could be custom-made (possibly more optimal since it has no widely known vulnerability unlike web servers, and requires custom hacking solution) - and a database and hold the data there, only sending to the player what he absolutely needs (always sanitize your input!).

If you want to protect data from the end user, don’t ever give him direct access to it.

There’s an offline solution and it’s pretty simple:

  1. Each PlayerPref should be saved onto three minimum values (say for gold, you make gold1, gold2, gold3 prefs). Each time the player earns something, you add it to all three prefs.
  2. Each level you check if those equal each other. If not, you set all three back to the minimal one (or whatever you feel like punishing cheaters with)
  3. Since hacking is figuring a parameter change, they can’t change three parameters at once.

Hope it helps, cheers.