Simple Methods For Basic Game Data Security

Protecting Game Data

Game developers have a responsibility to protect player data and game assets. Implementing basic security measures can prevent cheating, hacking, and theft of intellectual property.

Encrypting save data

Encrypting save data prevents players from directly editing their save files to cheat. It also protects any sensitive information stored in save files.

Using basic symmetric encryption

Symmetric key encryption uses the same secret key to encrypt and decrypt data. One common symmetric algorithm is the Advanced Encryption Standard (AES). Here is example C# code for encrypting player data with AES in Unity:

//Generate random 16-byte key
byte[] key = new byte[16];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(key);

//Encrypt save data
Aes aes = Aes.Create();
aes.Key = key;
aes.GenerateIV();
ICryptoTransform encryptor = aes.CreateEncryptor();   

byte[] encryptedData = encryptor.TransformFinalBlock(saveData, 0, saveData.Length);

//Store encrypted data and IV for decryption later
SaveEncryptionInfo(key, aes.IV); 
SaveEncryptedPlayerData(encryptedData);

With symmetric encryption, any entity with the secret key can decrypt the data. Proper key management is essential to prevent unauthorized access.

Hashing save data with salts

Hashing one-way encrypts data to verify integrity, without allowing decryption. Adding random data called a “salt” prevents reusable rainbow table attacks. Here is example C# code to hash and salt player data:

byte[] salt = new byte[16];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetNonZeroBytes(salt);

SHA256 sha = SHA256Managed.Create();  
byte[] hashedData = sha.ComputeHash(saveData.Concat(salt).ToArray());  

SaveHash(hashedData);
SaveSalt(salt);

When loaded, re-hash the data with the salt to validate it matches the saved hash. Any changes to the save will cause a mismatch.

Obfuscating game code

Code obfuscation makes it more difficult to reverse engineer game logic or assets. This protects intellectual property and makes it harder to find vulnerabilities.

Basic obfuscation techniques

Some basic manual obfuscations include:

  • Renaming assets like art, prefabs, audio files, and scripts
  • Using abbreviated, meaningless variable and function names
  • Stripping debug symbols and disabling debugging capabilities

These simple steps make static analysis of game binaries more challenging.

Advanced techniques

Dedicated obfuscators can automate more complex transformations like:

  • Control flow obfuscation – Adds jumps and switches to mask the true program flow
  • String encryption – Encrypts string literals forcing runtime decryption

Combining multiple techniques compounds the difficulty of deciphering obfuscated code.

Securing data transmission

Protecting data sent to and from game servers prevents tampering or eavesdropping.

Using HTTPS

Hypertext Transfer Protocol Secure (HTTPS) encrypts communications and authenticates the server. To enable HTTPS:

  1. Obtain an SSL/TLS certificate and private key
  2. Install the certificate on the game server
  3. Redirect all HTTP traffic to HTTPS

All data including login credentials and gameplay data will then be securely transmitted over TLS.

Authentication with tokens

Stateless token-based authentication improves security over stateful sessions. The server generates short-lived tokens allowing clients limited access to resources. Here is sample logic in Unity:

//Login request with username/password 
var loginRequest = GenerateLoginRequest(username, passwordHash);
var loginResponse = SendRequest(loginRequest);

//Keep access token from response 
string accessToken = loginResponse.accessToken;  

//Subsequent requests pass access token  
var gameDataRequest = GenerateGameDataRequest();
gameDataRequest.SetHeader("Authorization", accessToken);
var gameData = SendRequest(gameDataRequest); 

Tokens expire quickly, limiting damage from leaked credentials. Users re-authenticate once tokens invalidate.

Additional considerations

Beyond core protections, general security best practices apply to games.

Regular security audits

Routinely audit the game for vulnerabilities. Check for issues like:

  • SQL injection bugs
  • Buffer overflow issues
  • Weak cryptography
  • Authorization bypass flaws

Periodic scans using automated tools or services can catch oversights in custom game code.

Bug bounty programs

Bug bounty programs reward security researchers for responsibly disclosing exploitable issues. Establishing a bounty program invites scrutiny of public-facing systems. Payouts for reported flaws raise awareness within the security community and help identify threats before criminals discover them. With increasing digital revenues, the benefits outweigh costs for most major game studios.

Leave a Reply

Your email address will not be published. Required fields are marked *