Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. We have updated the language to the Editor Terms based on feedback from our employees and community. Learn more.
    Dismiss Notice

Question EditorGUI Passwordfield value appears as plaintext in android build apk?

Discussion in 'Editor & General Support' started by andres-echo, Jul 28, 2022.

  1. andres-echo

    andres-echo

    Joined:
    Mar 10, 2022
    Posts:
    2
    Hello!

    I am part of a team that maintains a unity package. A component of our package makes web requests using a secret (string) obtained via our own web platform. To improve developer ergonomics we've added the ability to set this value via an EditorGUILayout PasswordField in a custom editor script so that the user can enter the value via the Unity inspector. This mostly works out great as the value is shown as "****" in the inspector but the application correctly reads and uses the value when the app is running.

    A problem arises however in that all android builds (.apk) of an application with scenes using our component end up having this value stored as plaintext. You can open the apk in a text editor like notepad++ which opens to gibberish as you'd expect however our component has another public user-facing variable with a value that, if searched, brings you what seems to be all the component's serialized fields and though their names are not legible all their values are plaintext. The secret string appears right alongside the rest. The only way I've found to remove it from appearing there is by not serializing it at all. This isn't ideal since the editor relies on the serialized value to offer any custom inspector function at all.

    Is there any workaround for this? I've tried serializing a private field, using various forms of get/set with backing fields and compiler directives to no avail. Or are we overreacting to this apparent security vulnerability?


    Thanks anyone for your help!
     
  2. Kurt-Dekker

    Kurt-Dekker

    Joined:
    Mar 16, 2013
    Posts:
    36,963
    Nope, if it's in the APK and the APK can read it, then a human can read it.

    If you're concerned about the user 'hacking your save files,' or 'cheating in your game,' which is playing on their computer, just don't be.

    There's nothing you can do about it. Nothing is secure, it is not your computer, it is the user's computer.

    If it must be secure, store it on your own server and have the user connect to download it, using whatever authentication mechanism you want (OAUTH, login, etc.).

    Anything else is a waste of your time and the only person you're going to inconvenience is yourself when you're debugging the game and you have savegame errors. Work on your game instead.

    Remember, it only takes one 12-year-old in Finland to write a script to read/write your game files and everybody else can now use that script. Read about Cheat Engine to see more ways you cannot possibly control this.
     
  3. andres-echo

    andres-echo

    Joined:
    Mar 10, 2022
    Posts:
    2
    To be clear, the author of the game would be the users of our tools we ourselves aren't making a game but I understand the point you're trying to make and how a determined bad actor is going to find their way to this data if they want. I think what bothers us is it seems unfortunate that the app itself, down to the variable name, is not stored in notepad readable plaintext while the actual value exists as a plaintext string as a result of using it in the inspector.
     
    Last edited: Jul 28, 2022