Will it be more difficult to hack the WebGL player than the Web Player?

So my understanding for WebGL is the Unity project will use the new IL2CPP compiler and then compile out to Javascript in order to work as WebGL.

In the past, it seems a lot of people building for the WebPlayer have had their games hacked and put onto other sites (even with the domain hosting check Unity provides in the documentation), thus losing out on a lot of well-deserved revenue.

Will WebGL be more secure in this regard?

 

it's still just a bunch of files the web server serves out for clients (browsers).

it is trivial to open the networking tab of your browser and see all the files that are being downloaded. It's probably fairly easy for someone to download everything and change some script include URLs etc and get it working on their server, if it's a completely self-contained game (no server side).

in general, games with 100% client-side logic are vulnerable to hacking / exploits.

If you implement encrypted web service calls, where your game communicates with your server, then it may be harder for people to emulate your server-side, reverse engineer the encryption, etc. This is why many games require online play. Even if the game logic runs on the client and it's not necessarily a multiplayer online game, it still saves authoritatively on the server and has just enough authoritative control to prevent people from hacking saves, authorize IAP and stuff.

 

ya, if anyone finds a generally easy solution to this that doesn't require any major architectural changes to an existing project, i'd pay for it on the asset store.

another thing to keep in mind is places like China, since Chinese web portals won't let you host a file that connects to services outside of China (like for DRM purposes) its difficult to update things like 4399.com who hacked an old version of our game when it was a demo and still host it splitting our audience and adding uncertainty to our analytics.

 

one way to help would be add a system where in game the game scripts auth against a php on webhost before calling to request the asset. it returns a unique ID key generated server side. store the key as temporary variable then when calling the url to download the asset inject the key.

example url: https://www.myserver.com/assetdatabank/getassets.php?selection=<assetfilename>&uid=<uniquekey>

the script returns the requested asset files based on the assetname requested. but the url will only work for that users request and would not return a file with out that key. since the key was generated only for one use. the url would be void after used.

 

Authorise against what though? What do you authorise against the php webhost? How do you know if a user is valid or not?

 

You are authorizing the game itself, not the user. Basically, you're checking to make sure the game is up-to-date and valid on that domain. If it's not, the game dies.

Of course, they could probably hack around that, but you might be able to tie it in deeply enough or obfuscated enough that they won't bother.

It's a form of DRM, though, and could end up impacting legit users, too, sometimes, such as if your auth server goes down.