Game Tech Tutorial
Published in

Game Tech Tutorial

How to protect your Unity game from being hacked?

No one can ensure games to be completely secure and safe.

What we can do is to make games become hard and challenging to hack.

This tutorial will provide some tips to protect your Unity games from being hacked.

Obfuscate Your Codes

For Android Games built by Unity with Ill2cpp mode, you should obfuscate your game codes.

Although some said this is just to make your code hard to read, this is a necessary approach to prevent your game codes from being revealed to the public in plaintext.

However, I won’t recommend you obfuscate all of your codes including all the classes because this may lead to performance issues or application crashes.

It is better to obfuscate some codes that reveal secrets, server URLs, or business logic, but how to obfuscate Android Game using Unity?

You can refer to the following plugins on Unity Asset Store.

Obfuscator

Feature:

  • Supports IL2CPP
  • Supports to renames Classes, Methods, Parameters, Fields, and Properties.
  • Supports multiple platforms:
  • Build targets include Standalone, Android, iOS, WebGL, UWP.

Analysis:

This plugin allows you to obfuscate your codes on different platforms. It can save your time to implement obfuscation and protect your game codes.

After obfuscating your codes, how to validate your APK file?

Refer to How to reverse engineering for Android Game in APK file built by Unity?

Download Obfuscator here.

Obfuscator Pro

Feature:

  • Member Renaming:
  • Namespaces
  • Classes (also MonoBehaviour and ScriptableObject subclasses)
  • Methods
  • Fields
  • Properties
  • Event
  • String obfuscation
  • Adding random code
  • Anti debugging

Analysis:

This plugin provides Obfuscation for different types of properties and additional features including random code and Anti debugging.

Download Obfuscator Pro here.

Implement Business Logic on the Server

Don’t implement important business logic on the client-side. Instead, move logics to the server-side.

For instance, you develop a simulation game. You need to give players coins after they win a game.

To calculate how many coins to give players based on player’s properties should be implemented on the server-side instead of the client-side.

Because it is possible for hackers to change it by hijacking and manipulating the network packets or even decompiling the games and changing parameters or properties.

Validate Client’s requests

Game Server should not trust clients' requests, but always carefully

  • validate clients’ requests by signature to ensure data’s integrity.
  • validate JSON Web Token to identify the player’s identity.
  • decrypt the data to ensure confidentiality.

Furthermore, the communication between a client and a server should be encrypted like the HTTPS protocol to protect packets being hijacked and manipulated.

Of course, if the server can properly validate the client’s requests in signature, it’s easy to detect and prevent if someone maliciously changes parameters in the client’s requests.

Summary

In the tutorial, you have learned some tips to protect your games built by Unity. The game server should always validate the client’s requests to ensure data’s integrity, correctness, and confidentiality.

Obfuscating the game's codes is just an approach to make your codes hard to read.

Therefore, it’s recommended to not only obfuscate your codes on the client-side in Unity but also implement essential logic on the server-side to improve your game’s security.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eric Wei

Eric Wei

55 Followers

Senior Full Stack Engineer & Solution architecture | AWS, GCP, Azure | Cloud, Unity Game Development, SDK, DevOps, and more.