Resolved Economy Security

Greetings!

I'm starting to read through all the Economy documentation, and I was on-board reading through how it all works with unity services to let you set up currencies and exchanges between virtual currencies and using cloud code to make changes and whatnot to keep everything secure. But then I got to the player balances section of the SDK (https://docs.unity.com/economy/SDK-player-balances.html#SetBalance), I see there are methods available to call from the app to alter your balances. In my mind, this sounds like an exploitable vector if the client is allowed to tell the servers of currency changes. Is there something I'm missing here that makes this system secure?

Thanks!

 

Hi FabriR,

Thanks for the response! Yea my intention is to use Cloud Code for everything related to the economy, I was surprised to see those other methods exist in the client SDK. Even if I don't use those client methods, I'd assume their existence means that somewhere there are endpoints that would allow users to change their balances and give themselves items. My two cents, if those methods need to stay, what might be nice is an option in the dashboard to disable modifying the economy from the client, so attempting to call those methods would cause them to fail, securing the economy for developers that wish to rely on the security of calling it from Cloud Code.

 

I would also like to add this feedback issue.

I rather have my own server instance take care of some tasks.
So I would hope there's way to authenticate only my unity server be able to modify player data.

 

I can't believe this hasn't been implemented yet. We need a way to push Economy changes from server to server. You have all the pieces right now, just change the auth mechanism on the existing endpoints to take a service account or client auth.

PlayFab and Beamable already allow server to server communication for everything.

As for what others have said about disabling client access, look at how PlayFab does it. I think it is useful to allow the client to decrement virtual currency ie lives, etc. but not increment it, PlayFab allows you to have granular control.

But, right now for us we need Economy server api to use service account auth.

 

Any update on this? Right now, Economy is basically client authoritative and that really doesn't make sense. We have Cloud Save for clients to save non-exploitable data. Using Cloud Code only hides the legit code from clients, it doesn't stop them from exploiting the client endpoints.

 

Wow! I was surprised by this functionality as well. Please patch up this exploit ASAP. We will be waiting on the fix before we can release our game.