Question EditorGUI Passwordfield value appears as plaintext in android build apk?

Hello!

I am part of a team that maintains a unity package. A component of our package makes web requests using a secret (string) obtained via our own web platform. To improve developer ergonomics we've added the ability to set this value via an EditorGUILayout PasswordField in a custom editor script so that the user can enter the value via the Unity inspector. This mostly works out great as the value is shown as "****" in the inspector but the application correctly reads and uses the value when the app is running.

A problem arises however in that all android builds (.apk) of an application with scenes using our component end up having this value stored as plaintext. You can open the apk in a text editor like notepad++ which opens to gibberish as you'd expect however our component has another public user-facing variable with a value that, if searched, brings you what seems to be all the component's serialized fields and though their names are not legible all their values are plaintext. The secret string appears right alongside the rest. The only way I've found to remove it from appearing there is by not serializing it at all. This isn't ideal since the editor relies on the serialized value to offer any custom inspector function at all.

Is there any workaround for this? I've tried serializing a private field, using various forms of get/set with backing fields and compiler directives to no avail. Or are we overreacting to this apparent security vulnerability?


Thanks anyone for your help!

 

Nope, if it's in the APK and the APK can read it, then a human can read it.

If you're concerned about the user 'hacking your save files,' or 'cheating in your game,' which is playing on their computer, just don't be.

There's nothing you can do about it. Nothing is secure, it is not your computer, it is the user's computer.

If it must be secure, store it on your own server and have the user connect to download it, using whatever authentication mechanism you want (OAUTH, login, etc.).

Anything else is a waste of your time and the only person you're going to inconvenience is yourself when you're debugging the game and you have savegame errors. Work on your game instead.

Remember, it only takes one 12-year-old in Finland to write a script to read/write your game files and everybody else can now use that script. Read about Cheat Engine to see more ways you cannot possibly control this.

 

To be clear, the author of the game would be the users of our tools we ourselves aren't making a game but I understand the point you're trying to make and how a determined bad actor is going to find their way to this data if they want. I think what bothers us is it seems unfortunate that the app itself, down to the variable name, is not stored in notepad readable plaintext while the actual value exists as a plaintext string as a result of using it in the inspector.