Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. Join us on Dec 8, 2022, between 7 am & 7 pm EST, in the DOTS Dev Blitz Day 2022 - Q&A forum, Discord, and Unity3D Subreddit to learn more about DOTS directly from the Unity Developers.
    Dismiss Notice
  3. Have a look at our Games Focus blog post series which will show what Unity is doing for all game developers – now, next year, and in the future.
    Dismiss Notice

Does Remote Config encrypt its locally stored cached config?

Discussion in 'Unity Remote Config' started by chanon81, Jan 11, 2020.

  1. chanon81

    chanon81

    Joined:
    Oct 6, 2015
    Posts:
    167
    Hi! Just learned about Remote Config from watching the Unite talk. It looks amazing.

    My questions is, I tried adding Remote Settings to my game before, but took it out because all the "settings" were stored in plain text in the game's save folder. This would leave the door wide open for very easy cheating by users on Android (or even easier .. PC for example).

    I would like to know if Remote Config has fixed this yet?
     
  2. markychoi

    markychoi

    Unity Technologies

    Joined:
    Aug 4, 2014
    Posts:
    40
    Hi @chanon81. Our team has done some explorations around adding security features to Remote Config, specifically around signing the payload. However, we do not yet have any solutions for encrypting the payload.

    It would be interesting to learn more about what you seek out of a solution, and discuss with you our current thinking. We also have a prototype package with the payload-signing feature that we could provide you to test out and provide feedback on. Would you care to learn more over a quick call?
     
  3. chanon81

    chanon81

    Joined:
    Oct 6, 2015
    Posts:
    167
    I haven't actually tried the current Remote Config to see how it does things. Maybe after I do I will have some more specific feedback.

    An idea is to have a secret key that is shared between server and client and is used for communication with the server and for saving to local disk.

    I am working on a mobile free to play game with IAP.
    I would use Remote Config to easily adjust game difficulty or in-game items and upgrades prices for example.
    Specifically for Android it is easier to get at a game's save data, so if people find ways to easily edit the local Remote Config cache, then that could result in loss of IAP sales. It would probably not be a major loss though. Just a trade-off to think about when deciding to use it.
     
    vd_unity likes this.
  4. andrej_amz

    andrej_amz

    Joined:
    Aug 27, 2019
    Posts:
    5
    So with Remote Config the data is not stored locally in a file on disk correct?

    @markychoi when you say there isn't an encrypted payload, is all the Remote Config data transferred to the client app via http? Couldn't you use https so at least it's not visible over the network?

    Cheers,
    Andrej
     
  5. rambod

    rambod

    Unity Technologies

    Joined:
    Mar 2, 2018
    Posts:
    57
    @andrej_amz Remote Config will cache values to disk and attempt to read those values when it starts out. However, you always have the option of ignoring the cache, fetching new remote values and wait for those to return before initializing the game.

    As for the payload, it's over https, but the configs returned in the payload are stored as plain text JSON.
     
    vd_unity likes this.
  6. KaOzz

    KaOzz

    Joined:
    Oct 15, 2012
    Posts:
    79
    How can I ignore the cached values? When players play my game without internet they can edit manually the plain text remoteconfig.json and I really dont want this.

    I attach my code. I want that in Cached case Unity dont do anything.
    I even wish the remoteconfig.json file doesn't even exist at all.
     

    Attached Files:

  7. Fangh

    Fangh

    Joined:
    Apr 19, 2013
    Posts:
    174
    The cached config can be looked in C:\Users\USERNAME\AppData\LocalLow\COMPANY\APPNAME
     
  8. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    We will look into this. For offline play, would you then prefer that users always use the default values, and not the values from their last online session?
     
  9. Fangh

    Fangh

    Joined:
    Apr 19, 2013
    Posts:
    174
    One of the issue is this use case :

    1. On remote config I have stored "player X has Y coins"
    2. Player download their config
    3. Player open the cached remoteconfig.json
    4. Player change Y coins to Z coins
    5. Player disable internet connection
    6. Player open the game and has Z coins (they are cheating)
     
  10. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    Yes, I understand the concern. My question however is related to your expectations for offline play. You said you would prefer nothing be written locally "I even wish the remoteconfig.json file doesn't even exist at all."
     
  11. Fangh

    Fangh

    Joined:
    Apr 19, 2013
    Posts:
    174
    I think when using offline play, what they wants (but I'm talking on their behalf, so I'm not sure) is to use the default value. The value that are in their code, not in the remoteconfig.json

    So I think they should put a boolean "playingOffline" and change their code :
    Code (CSharp):
    1. playerCoins = ConfigManager.appConfig.GetInt("coins");
    to
    Code (CSharp):
    1. if(!playingOffline)
    2. playerCoins = ConfigManager.appConfig.GetInt("coins");
     
  12. KaOzz

    KaOzz

    Joined:
    Oct 15, 2012
    Posts:
    79
    Yes, exactly. If player start the game offline, then I want to use my default values settings from code not modified in any way from Unity Remote Config.

    I assumed that would be the behavior when I leave "case ConfigOrigin.Cached" empty with only a break.
     
    Last edited: Aug 27, 2020
  13. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    So you would prefer to ignore the values from a previous online session? So the user first plays online, and retrieves the online (non-default) value. The next day, they play offline. Instead of using the cached (and likely more appropriate) value from their session yesterday, they instead use the default value and experience a possibly degraded experience? I believe what you really want is an encrypted local file :)
     
    PedroPoni, Karlbovsky and Fangh like this.
  14. KaOzz

    KaOzz

    Joined:
    Oct 15, 2012
    Posts:
    79
    Yes, that would be better for me. And in case that I want to cache things (from a previous online session), I can make it by myself using the method that I want (a json file, playerprefs, etc, and possibly with my own encryption method).

    I dont want an auto cached plain values without encryption.

    If the auto-cached values come with encryption will be fine for me too.

    --

    In the case of my game, Im using Remote Config to set some values that affects the economy of the game.
    Setting the price of fuel for example.
    If players can access to that too easy, they can change the fuel price to zero.
     
  15. KaOzz

    KaOzz

    Joined:
    Oct 15, 2012
    Posts:
    79
    What is the porpuse of switch(configResponse.requestOrigin) { case ConfigOrigin.Cached: ... } ?
     

    Attached Files:

  16. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    If a user went online yesterday and played the game, then played today offline, we would use the .Cached value.
     
  17. Fangh

    Fangh

    Joined:
    Apr 19, 2013
    Posts:
    174
    @KaOzz what you can do (this is what I do) is to encrypt the value on the server with AES (like this one for example).
    And decrypt inside the client's code.

    Another solution is to prevent the player to play if they are not connected to internet (that's what a lot of mobile games do. Event single player game)
     
  18. KaOzz

    KaOzz

    Joined:
    Oct 15, 2012
    Posts:
    79
    If I start my game offline (without any internet connection), RemoteConfig is always entering in "case ConfigOrigin.Remote". It never enter in "case ConfigOrigin.Cached". Is this a bug?

    Im using Unity 2018.4.25f1, RemoteConfig 1.2.3 downloaded from Package Manager.
    Tested on Editor and Android device.
    --

    @Fangh yeah, its one solution.
     
    TFF_Unity likes this.
  19. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    Which values are you retrieving, can you confirm? Please show your code and the runtime values using Debug.Log or breakpoint debugging. You could take your device offline, and change the value on the server. Please test with the latest package, show Preview packages in Package Manager.
     
  20. LucasHehir

    LucasHehir

    Joined:
    May 7, 2020
    Posts:
    52
    Before I found Remote Config today (which is awesome, loving it so far) I had a baby system kinda like this using json and cached locally on the users device. Whenever I'm writing or reading the file to disk, I put it through a really basic XOR encryption. It's just enough of a hurdle to disincentivize basic meddling without being much extra trouble for development. Just have some big random number baked in as a key to process it with.

    Code (CSharp):
    1. public static string XORFilter(this string input, int key) => new string(input.Select(c => (char) ( c ^ key )).ToArray());
    Something like that might be good here. It's not bulletproof but it is simple to work with and is better than plaintext.
     
    Karlbovsky likes this.
  21. BallistiX09

    BallistiX09

    Joined:
    Mar 29, 2015
    Posts:
    10
    I'm getting exactly the same results, if I log out the requestOrigin, it's showing as Remote even when the device is completely offline.

    When the device is online, logging out one of my test remote values shows as the correct remote server value (700) as expected. When the device is offline, the value is still being set to the remote value (700) inside the "Remote" section, even though it should really be getting left as the default value (650).

    Also, in both cases (online and offline), the Debug.Log message "New settings loaded this session; update values accordingly" is being logged out, when I'm guessing if it's offline, it should really be logging out "No settings loaded this session; using cached values from a previous session" instead. Because of this, it looks like values actually are being cached properly, but the requestOrigin just isn't being returned properly.

    I'm using Unity 2020.1.12f, and I've tested this with Remote Config versions 1.4.0 and 2.0.0. I've checked that this happens in both the editor on Windows, and on an Android device running Android 10.

    I've included the code I'm using for this below, it's mainly based on the example in the Remote Config documentation:

    Code (CSharp):
    1.    
    2. public class DataController : MonoBehaviour
    3. {
    4.     public static DataController instance;
    5.     public static float aiSpeedDifficulty0 = 650f;
    6.  
    7.     private struct UserAttributes { };
    8.     private struct AppAttributes { };
    9.  
    10.     private void Awake()
    11.     {
    12.         if (instance == null)
    13.         {
    14.             instance = this;
    15.             DontDestroyOnLoad(gameObject);
    16.  
    17.             ConfigManager.FetchCompleted += ApplyRemoteSettings;
    18.             ConfigManager.FetchConfigs(new UserAttributes(), new AppAttributes());
    19.         }
    20.         else if (instance != this)
    21.         {
    22.             Destroy(gameObject);
    23.         }
    24.     }
    25.  
    26.     private void ApplyRemoteSettings(ConfigResponse configResponse)
    27.     {
    28.         switch (configResponse.requestOrigin)
    29.         {
    30.             case ConfigOrigin.Default:
    31.                 Debug.Log("No settings loaded this session; using default values.");
    32.                 break;
    33.             case ConfigOrigin.Cached:
    34.                 Debug.Log("No settings loaded this session; using cached values from a previous session.");
    35.                 break;
    36.             case ConfigOrigin.Remote:
    37.                 Debug.Log("New settings loaded this session; update values accordingly.");
    38.                 aiSpeedDifficulty0 = ConfigManager.appConfig.GetFloat("aiSpeedDifficulty0");
    39.                 break;
    40.         }
    41.  
    42.         Debug.Log(aiSpeedDifficulty0);
    43.     }    
    44. }
     
    TFF_Unity likes this.
  22. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    @BallistiX09 Thank you for the good reproduction steps, we will look into this.
     
  23. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    @BallistiX09 Can you confirm that you are not manually deleting the local cache file in your test?
     
  24. BallistiX09

    BallistiX09

    Joined:
    Mar 29, 2015
    Posts:
    10
    Sorry about the slow reply, just saw this!

    Yeah, I'm definitely not deleting the cache manually, I don't think I'm deleting any files at all anywhere in the app.
     
  25. huuhau

    huuhau

    Joined:
    Mar 28, 2014
    Posts:
    17
    Hi, Is there any chance can I decide to not save my config to new file?
    I got same issue, that we don't need to use cache file, but it still load from there
     
    Last edited: Nov 26, 2020
  26. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    Sorry I don't quite follow. If the user is offline, Remote Config will use the value from the cache. We will be addressing the behavior so it will properly return ConfigOrigin.Cached
     
  27. BallistiX09

    BallistiX09

    Joined:
    Mar 29, 2015
    Posts:
    10
    Hey again, just wanted to quickly check in and see if there's any ETA on this fix? Thanks!
     
    TFF_Unity likes this.
  28. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    To confirm, you are receiving the cached values properly when offline (and not the default). It's only the ConfigOrigin.Cached not properly triggered in your switch statement, correct?
     
  29. BallistiX09

    BallistiX09

    Joined:
    Mar 29, 2015
    Posts:
    10
    That's right, I've just tested it again just there to be totally sure.

    When changing one of the remote values to be different from the default in the app, the Remote Config picks up the new value correctly, and the origin is shown as Remote.

    When taking the entire laptop offline and testing again, the value is returned as the previous online value, not the built-in default, showing that it's returning the cached value correctly, but the origin still shows as Remote when it should really be Cached.
     
  30. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    To set proper urgency, can you describe how this affects your app? I assume you have different logic in place for the Remote vs Cached scenario?
     
  31. BallistiX09

    BallistiX09

    Joined:
    Mar 29, 2015
    Posts:
    10
    Ideally, we would have all values updated from cache on startup, and then only some specific values updated from a remote origin, values which we know can be safely updated while the app is running and in use by the user.

    Because everything is being returned as remote, we're stuck with needing to include all values within the remote origin case if we want to use Remote Config at all. Then then leaves the risk of some values breaking parts of the app if updated while they're in use.

    It's not a huge risk admittedly, so it's not too urgent, but it does make using Remote Config more risky than we would like overall.
     
  32. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    But the cached values would always match the remote values on startup, just don't change the remote values, and they will always match cached. I'm trying to understand your use case here.
     
  33. Sebasapk

    Sebasapk

    Joined:
    Jun 4, 2020
    Posts:
    4
    How does it work that Cache? and how in the case of my user doesn't have internet, how the user can get all the data of their last session?
    In the case of Web, is there a way to access this Cache and edit ir?
     
    Last edited: May 21, 2021
  34. krisventure

    krisventure

    Joined:
    Mar 24, 2016
    Posts:
    118
    Awesome, I've just started a thread about this exact same question before I've found this. Luckily, this bug's saved us the headache of having to release a new update as we forgot to implement the logic for ConfigOrigin.Cached or ConfigOrigin.Default.

    Then I guess in the current Remote Config version neither ConfigOrigin.Default nor ConfigOrigin.Cached switch cases are ever reached and still the cached version is used when offline and the default value is used if there is no cached version yet.

    So currently our code under case ConfigOrigin.Remote will be called in every possible scenarios.
     
  35. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    If the user has connected previously, they will use the last known values that are cached locally. If this is the first time the user has launched the game and there is no internet access, the default values will be used. Can you describe what you mean be edit it? And you mention on the web, clearly they have a internet connection already if they are on the web.
     
  36. JeffDUnity3D

    JeffDUnity3D

    Unity Technologies

    Joined:
    May 2, 2017
    Posts:
    14,446
    Can you share your code for Remote vs Cached?
     
  37. marcin_sroczynski

    marcin_sroczynski

    Joined:
    Sep 12, 2017
    Posts:
    1
    Hi,

    I'm currently on RemoteConfig 2.0.1. I assign the method OnFetchCompleted to the FetchCompleted Action with:

    ConfigManager.FetchCompleted += OnFetchCompleted;

    and here is OnFetchCompleted method:

    Code (CSharp):
    1. private void OnFetchCompleted(ConfigResponse configResponse)
    2.         {
    3.             switch (configResponse.requestOrigin)
    4.             {
    5.                 case ConfigOrigin.Default:
    6.                     Debug.Log("No settings loaded this session; using default values.");
    7.                     break;
    8.                 case ConfigOrigin.Cached:
    9.                     Debug.Log("No settings loaded this session; using cached values from a previous session.");
    10.                     break;
    11.                 case ConfigOrigin.Remote:
    12.                     Debug.Log("New settings loaded this session; update values accordingly.");
    13.                     break;
    14.             }
    15.         }
    No matter what I do the configResponse.requestOrigin has value of ConfigOrigin.Remote.
    When I delete cache and have internet connection it returns ConfigOrigin.Remote
    When I delete cache and don't have internet connection it returns ConfigOrigin.Remote
    When I don't delete cache and have internet connection it returns ConfigOrigin.Remote
    When I don't delete cache and don't have internet connection it returns ConfigOrigin.Remote

    It never returns ConfigOrigin.Default or ConfigOrigin.Cached. I'm not asking about getting values from the cache, because they are correct. The only thing I care about is to have correct configResponse.requestOrigin variable that I can work with.

    Is there a fix for that?
     
    LizNT, PedroPoni, yumarun and 5 others like this.