What stops hackers from authentication?

I'm not trying to solve a direct problem, just trying to understand things a bit better, in particular what goes on when using authentication.

So for example I should not put an encryption key into the app, because people can decompile and read it. But what about authentication? Isn't all the info they need for that in the app as well? What stops hackers from decompiling and simply authenticate themselves and then make all the API calls with all the data they want?


Nothing can really stop a malicious user from decompiling the client or calling our services directly through REST apis. Obfuscation could help hide the client code but it wouldn't hide the network traffic

For authentication, they won't be able to access other players accounts as those require credentials. They can create new player accounts but this doesn't provide much value by itself.

When interacting with other services (cloud save, economy, leaderboards, etc), then there are security concerns and this is why we have a few solutions to help secure games.

  • Cloud Code lets developers create logic that runs outside of the client to prevent abuse.
  • Access Control lets developers block operations from being called from clients

It's up to every developer to choose what type of security features best fits their game

Does that answer your question?


Thanks for your quick answer!

What I don't quite understand yet is why cloud code is more secure if they can just authenticate a decompile app and call all the cloud code they want. Would the security part then be more like logic, e.g. this cloud function has been called too often, or maybe for in app purchases double check that against some other info?

If you or anyone knows some resources on this topic I'd really appreciate it. I understand that full security does not exist but I'd just like to get a deeper understanding of it so I know what is some low hanging fruit to prevent hacking and at what point am I wasting my time etc.

Cloud Code provides you the platform to build your custom secure logic, then it's up to you to decide how you leverage that for your game

Ideally you don't want to pass the values (score, currencies, etc) to your script directly

You can send the actions the player did and let the cloud code script validate that they are valid in the current context & calculate the score and rewards so that the client never sees any of that logic. (this can also let you modify this logic without making new builds making it easier to improve your game)

You could be keeping state of where the player is at through the session (using cloudsave) and validating at the beginning of each cloudcode script that the player is actually in the right state to run the current logic - this can make replay attacks harder since you need to be in the right state for that script to work correctly