How secure is Unity code once compiled?

Hello All,

This is kind of a general question, I am making a multiplier game and I am begining to wonder about security. Obviously I don't want players to hack or cheat which brings me to my question,

Just how much can I trust a client? How easy is it to alter the code once I build my game and distribute it? I have most stuff running checks with online database, (login, player pos, ext.) But can I handle stuff like leveling on the client side? I was looking through the files for the game client, and it appears that unity makes no attempt to mask any of my files, it blatantly says "this is the file for this scene"

So what are your thoughts on this?

Thanks in advance,

Samuel

 

Depends on your game. If your character is stored on server side, then you can prevent a lot of hacking. If your character's profile is saved locally, then it's easy to use cheat engine to change values of memory addresses. It's up to you how secure your game is. There are ways to extract assets from Unity's archives. However, the code is still compiled. Most hacks don't alter logic in you code but change static variables. Other hacks use an overlay system and rely on math with the combination on what's appearing on the screen or from a memory address.

However, for multiplayer games. You can implement client side predication which allows the server to trust the client until the client breaks a rule.

 

For now, rather easy.

In Unity 5, they announced they will translate the scripts into native C++, which will make it much harder to modify after compilation. Still, not impossible, but much harder.

 

People don't generally modify code. What they will do is figure out where data is then change that value. If someone can find where "gold amount" is stored in memory or in a save file, then they can change it easily. Encryption can slow people down, but you can never stop it 100%.

When it comes to multiplayer games, the general rule is to never trust data from the client. People can view what data is being sent over the network, then try to listen in or even change the network data for an unfair advantage. Most games that are serious about preventing cheating will run the servers themselves and calculate almost everything on the server. The client becomes practically a dumb terminal used just to show what is happening to the player. Of course, this is overkill for something like 2 player tic-tac-toe.

 

Ok so the general rule is, that if I check the client's values with values I have stored on the database I should be ok. The client gets all of its player data (money, level, pos) from a database at run time, that data is then transmitted to the server for saving.

 

What happens if the client tells the database it has a gazillion monies?

 

Usually, every call to change a currency count should be validated first by the server.

Player: "I bought X package, give me Y monies"
Server: "Let me check your receipt... Nope, you never made that purchase. No monies for you."
Player: "I now have Y monies."
Server: "Nope, our last count was still 0."
Player: "I buy item Z which cost 100 monies."
Server: "Nope, your account still has 0 monies. No item for you."
Player: "I got 100 monies from in-game W event three times."
Server: "Nope, in-game event only gives 5 monies, and only happens once every day."

 

Hmm excellent point...