Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.

Feedback Economy Security

Discussion in 'Economy' started by keyskid, Mar 6, 2022.

  1. keyskid

    keyskid

    Joined:
    Jul 5, 2012
    Posts:
    2
    Greetings!

    I'm starting to read through all the Economy documentation, and I was on-board reading through how it all works with unity services to let you set up currencies and exchanges between virtual currencies and using cloud code to make changes and whatnot to keep everything secure. But then I got to the player balances section of the SDK (https://docs.unity.com/economy/SDK-player-balances.html#SetBalance), I see there are methods available to call from the app to alter your balances. In my mind, this sounds like an exploitable vector if the client is allowed to tell the servers of currency changes. Is there something I'm missing here that makes this system secure?

    Thanks!
     
    Highlander94 and DavidZobrist like this.
  2. FabriR

    FabriR

    Unity Technologies

    Joined:
    Mar 9, 2021
    Posts:
    16
    Hi keyskid,
    thanks for your feedback, you raised a very good point. Economy is still in beta, and we are really happy to get this kind of feedback as it helps us inform our roadmap. We are considering adding a more secure way of controlling this aspect of the service, meanwhile we are recommending to use Cloud Code to shield some of those calls and not use them directly from the game client.
     
    DavidZobrist likes this.
  3. keyskid

    keyskid

    Joined:
    Jul 5, 2012
    Posts:
    2
    Hi FabriR,

    Thanks for the response! Yea my intention is to use Cloud Code for everything related to the economy, I was surprised to see those other methods exist in the client SDK. Even if I don't use those client methods, I'd assume their existence means that somewhere there are endpoints that would allow users to change their balances and give themselves items. My two cents, if those methods need to stay, what might be nice is an option in the dashboard to disable modifying the economy from the client, so attempting to call those methods would cause them to fail, securing the economy for developers that wish to rely on the security of calling it from Cloud Code.
     
  4. FabriR

    FabriR

    Unity Technologies

    Joined:
    Mar 9, 2021
    Posts:
    16
    Thanks for the clarification, and I agree that we should give developers a choice. We are looking at solutions along the lines of what you described. I'll keep this forum updated with any news around incoming features
     
    DavidZobrist likes this.
  5. SolidJuho

    SolidJuho

    Joined:
    Oct 23, 2016
    Posts:
    11
    I would also like to add this feedback issue.

    I rather have my own server instance take care of some tasks.
    So I would hope there's way to authenticate only my unity server be able to modify player data.
     
  6. goplayinc

    goplayinc

    Joined:
    Oct 19, 2021
    Posts:
    1
    I can't believe this hasn't been implemented yet. We need a way to push Economy changes from server to server. You have all the pieces right now, just change the auth mechanism on the existing endpoints to take a service account or client auth.

    PlayFab and Beamable already allow server to server communication for everything.

    As for what others have said about disabling client access, look at how PlayFab does it. I think it is useful to allow the client to decrement virtual currency ie lives, etc. but not increment it, PlayFab allows you to have granular control.

    But, right now for us we need Economy server api to use service account auth.
     
    lsaeteurn likes this.
  7. Desoro

    Desoro

    Joined:
    Apr 30, 2016
    Posts:
    8
    Any update on this? Right now, Economy is basically client authoritative and that really doesn't make sense. We have Cloud Save for clients to save non-exploitable data. Using Cloud Code only hides the legit code from clients, it doesn't stop them from exploiting the client endpoints.
     
  8. Laurie-Unity

    Laurie-Unity

    Unity Technologies

    Joined:
    Mar 5, 2020
    Posts:
    174
    Hey @goplayinc & @Desoro

    This is still very much on our radar, we absolutely recognise the importance of being able to selectively lock down areas of functionality to make them fully server authoritative. Some of the preparatory work is underway, I can't provide an ETA yet, but we hear you.

    I have added your voices to the feature request.
     
    Desoro likes this.
  9. lsaeteurn

    lsaeteurn

    Joined:
    Jan 26, 2023
    Posts:
    4
    Wow! I was surprised by this functionality as well. Please patch up this exploit ASAP. We will be waiting on the fix before we can release our game.
     
    Laurie-Unity likes this.