Does Remote Config encrypt its locally stored cached config?

Hi! Just learned about Remote Config from watching the Unite talk. It looks amazing.

My questions is, I tried adding Remote Settings to my game before, but took it out because all the "settings" were stored in plain text in the game's save folder. This would leave the door wide open for very easy cheating by users on Android (or even easier .. PC for example).

I would like to know if Remote Config has fixed this yet?

 

I haven't actually tried the current Remote Config to see how it does things. Maybe after I do I will have some more specific feedback.

An idea is to have a secret key that is shared between server and client and is used for communication with the server and for saving to local disk.

I am working on a mobile free to play game with IAP.
I would use Remote Config to easily adjust game difficulty or in-game items and upgrades prices for example.
Specifically for Android it is easier to get at a game's save data, so if people find ways to easily edit the local Remote Config cache, then that could result in loss of IAP sales. It would probably not be a major loss though. Just a trade-off to think about when deciding to use it.

 

So with Remote Config the data is not stored locally in a file on disk correct?

@markychoi when you say there isn't an encrypted payload, is all the Remote Config data transferred to the client app via http? Couldn't you use https so at least it's not visible over the network?

Cheers,
Andrej

 

How can I ignore the cached values? When players play my game without internet they can edit manually the plain text remoteconfig.json and I really dont want this.

I attach my code. I want that in Cached case Unity dont do anything.
I even wish the remoteconfig.json file doesn't even exist at all.

 

The cached config can be looked in C:\Users\USERNAME\AppData\LocalLow\COMPANY\APPNAME

 

One of the issue is this use case :

1. On remote config I have stored "player X has Y coins"
2. Player download their config
   
3. Player open the cached remoteconfig.json
4. Player change Y coins to Z coins
5. Player disable internet connection
   
6. Player open the game and has Z coins (they are cheating)

 

I think when using offline play, what they wants (but I'm talking on their behalf, so I'm not sure) is to use the default value. The value that are in their code, not in the remoteconfig.json

So I think they should put a boolean "playingOffline" and change their code :

Code (CSharp):

1. playerCoins = ConfigManager.appConfig.GetInt("coins");

to

Code (CSharp):

1. if(!playingOffline)
2. playerCoins = ConfigManager.appConfig.GetInt("coins");

 

Yes, exactly. If player start the game offline, then I want to use my default values settings from code not modified in any way from Unity Remote Config.

I assumed that would be the behavior when I leave "case ConfigOrigin.Cached" empty with only a break.

 

Yes, that would be better for me. And in case that I want to cache things (from a previous online session), I can make it by myself using the method that I want (a json file, playerprefs, etc, and possibly with my own encryption method).

I dont want an auto cached plain values without encryption.

If the auto-cached values come with encryption will be fine for me too.

--

In the case of my game, Im using Remote Config to set some values that affects the economy of the game.
Setting the price of fuel for example.
If players can access to that too easy, they can change the fuel price to zero.

 

What is the porpuse of switch(configResponse.requestOrigin) { case ConfigOrigin.Cached: ... } ?

 

@KaOzz what you can do (this is what I do) is to encrypt the value on the server with AES (like this one for example).
And decrypt inside the client's code.

Another solution is to prevent the player to play if they are not connected to internet (that's what a lot of mobile games do. Event single player game)

 

If I start my game offline (without any internet connection), RemoteConfig is always entering in "case ConfigOrigin.Remote". It never enter in "case ConfigOrigin.Cached". Is this a bug?

Im using Unity 2018.4.25f1, RemoteConfig 1.2.3 downloaded from Package Manager.
Tested on Editor and Android device.
--

@Fangh yeah, its one solution.

 

Before I found Remote Config today (which is awesome, loving it so far) I had a baby system kinda like this using json and cached locally on the users device. Whenever I'm writing or reading the file to disk, I put it through a really basic XOR encryption. It's just enough of a hurdle to disincentivize basic meddling without being much extra trouble for development. Just have some big random number baked in as a key to process it with.

Code (CSharp):

1. public static string XORFilter(this string input, int key) => new string(input.Select(c => (char) ( c ^ key )).ToArray());

Something like that might be good here. It's not bulletproof but it is simple to work with and is better than plaintext.

 

I'm getting exactly the same results, if I log out the requestOrigin, it's showing as Remote even when the device is completely offline.

When the device is online, logging out one of my test remote values shows as the correct remote server value (700) as expected. When the device is offline, the value is still being set to the remote value (700) inside the "Remote" section, even though it should really be getting left as the default value (650).

Also, in both cases (online and offline), the Debug.Log message "New settings loaded this session; update values accordingly" is being logged out, when I'm guessing if it's offline, it should really be logging out "No settings loaded this session; using cached values from a previous session" instead. Because of this, it looks like values actually are being cached properly, but the requestOrigin just isn't being returned properly.

I'm using Unity 2020.1.12f, and I've tested this with Remote Config versions 1.4.0 and 2.0.0. I've checked that this happens in both the editor on Windows, and on an Android device running Android 10.

I've included the code I'm using for this below, it's mainly based on the example in the Remote Config documentation:

Code (CSharp):

1.    
2. public class DataController : MonoBehaviour
3. {
4.     public static DataController instance;
5.     public static float aiSpeedDifficulty0 = 650f;
6.  
7.     private struct UserAttributes { };
8.     private struct AppAttributes { };
9.  
10.     private void Awake()
11.     {
12.         if (instance == null)
13.         {
14.             instance = this;
15.             DontDestroyOnLoad(gameObject);
16.  
17.             ConfigManager.FetchCompleted += ApplyRemoteSettings;
18.             ConfigManager.FetchConfigs(new UserAttributes(), new AppAttributes());
19.         }
20.         else if (instance != this)
21.         {
22.             Destroy(gameObject);
23.         }
24.     }
25.  
26.     private void ApplyRemoteSettings(ConfigResponse configResponse)
27.     {
28.         switch (configResponse.requestOrigin)
29.         {
30.             case ConfigOrigin.Default:
31.                 Debug.Log("No settings loaded this session; using default values.");
32.                 break;
33.             case ConfigOrigin.Cached:
34.                 Debug.Log("No settings loaded this session; using cached values from a previous session.");
35.                 break;
36.             case ConfigOrigin.Remote:
37.                 Debug.Log("New settings loaded this session; update values accordingly.");
38.                 aiSpeedDifficulty0 = ConfigManager.appConfig.GetFloat("aiSpeedDifficulty0");
39.                 break;
40.         }
41.  
42.         Debug.Log(aiSpeedDifficulty0);
43.     }    
44. }

 

Sorry about the slow reply, just saw this!

Yeah, I'm definitely not deleting the cache manually, I don't think I'm deleting any files at all anywhere in the app.

 

Hi, Is there any chance can I decide to not save my config to new file?
I got same issue, that we don't need to use cache file, but it still load from there

 

Hey again, just wanted to quickly check in and see if there's any ETA on this fix? Thanks!

 

That's right, I've just tested it again just there to be totally sure.

When changing one of the remote values to be different from the default in the app, the Remote Config picks up the new value correctly, and the origin is shown as Remote.

When taking the entire laptop offline and testing again, the value is returned as the previous online value, not the built-in default, showing that it's returning the cached value correctly, but the origin still shows as Remote when it should really be Cached.

 

Ideally, we would have all values updated from cache on startup, and then only some specific values updated from a remote origin, values which we know can be safely updated while the app is running and in use by the user.

Because everything is being returned as remote, we're stuck with needing to include all values within the remote origin case if we want to use Remote Config at all. Then then leaves the risk of some values breaking parts of the app if updated while they're in use.

It's not a huge risk admittedly, so it's not too urgent, but it does make using Remote Config more risky than we would like overall.

 

How does it work that Cache? and how in the case of my user doesn't have internet, how the user can get all the data of their last session?
In the case of Web, is there a way to access this Cache and edit ir?

 

Awesome, I've just started a thread about this exact same question before I've found this. Luckily, this bug's saved us the headache of having to release a new update as we forgot to implement the logic for ConfigOrigin.Cached or ConfigOrigin.Default.

Then I guess in the current Remote Config version neither ConfigOrigin.Default nor ConfigOrigin.Cached switch cases are ever reached and still the cached version is used when offline and the default value is used if there is no cached version yet.

So currently our code under case ConfigOrigin.Remote will be called in every possible scenarios.

 

Hi,

I'm currently on RemoteConfig 2.0.1. I assign the method OnFetchCompleted to the FetchCompleted Action with:

ConfigManager.FetchCompleted += OnFetchCompleted;

and here is OnFetchCompleted method:

Code (CSharp):

1. private void OnFetchCompleted(ConfigResponse configResponse)
2.         {
3.             switch (configResponse.requestOrigin)
4.             {
5.                 case ConfigOrigin.Default:
6.                     Debug.Log("No settings loaded this session; using default values.");
7.                     break;
8.                 case ConfigOrigin.Cached:
9.                     Debug.Log("No settings loaded this session; using cached values from a previous session.");
10.                     break;
11.                 case ConfigOrigin.Remote:
12.                     Debug.Log("New settings loaded this session; update values accordingly.");
13.                     break;
14.             }
15.         }

No matter what I do the configResponse.requestOrigin has value of ConfigOrigin.Remote.
When I delete cache and have internet connection it returns ConfigOrigin.Remote
When I delete cache and don't have internet connection it returns ConfigOrigin.Remote
When I don't delete cache and have internet connection it returns ConfigOrigin.Remote
When I don't delete cache and don't have internet connection it returns ConfigOrigin.Remote

It never returns ConfigOrigin.Default or ConfigOrigin.Cached. I'm not asking about getting values from the cache, because they are correct. The only thing I care about is to have correct configResponse.requestOrigin variable that I can work with.

Is there a fix for that?

 

Hi what happend to disabling the cache (and with it offline play)?

Use case:
Someone writes the next gen AI and after a while it goes rouge an starts to take over the world.
Fortunately, its creator has included a remote kill switch that is regularly checked, but unfortunately it can also be easily manipulated locally...

In the documentation it says:
"This mechanism is applied for all platforms except for consoles, as writing on the disc for consoles requires special platform permissions"
Can this behaviour be triggered on other platforms?

i moved my question here:
https://forum.unity.com/threads/disable-caching-per-key.1406230/