Network Security

Hi,

In general an authoritative server setup is more secure than having some sort peer to peer setup, but currently I'm looking at all this from an entirely different point.

I'm scripting in C# using Unet code which is stored in DLLs - on a windows machine.
It is no problem to investigate all the Unet addons like NetworkManager with a decompilation tool like ILSpy in readable source code.

Now what will happen when I release the game, let's say a Windows desktop PC build?
What will happen with all those DLLs? Will it still be possible to investiagte all the Unet code as well as my custom code, or is there any security protection to avoid source code analysis and maybe even foreign code injection?

Thanks.

 

If you make a clean non-development build, you should be able to examine its contents. Like any Unity game, I think you'll find that, unless you take further action on your own, all the non-native code is easily decompiled, and there exist open source tools out there to inject things.

 

As you mentioned, the most secure configuration is going to be with an authoritative server. This allows the server to handle any sanity checks and determine what is allowed to happen based on the current state of the simulation.

Extending that idea, the client that gets distributed should really only have the code it needs to be a client and nothing else. This idea obviously won't work if you plan to allow users to host their own servers, but it really comes down to which you value more: the convenience of a single client/server build or the security of hiding protected server code.

The less that a malicious user knows about the inner workings of the simulation the better.

There are also code obfuscation tools out there, though I can't comment on how they work with Unity's implementation of C#. The idea with this is that it makes the code very difficult for a human to read by renaming variable's and functions to mask their purpose while ensuring that it still compiles and logically functions.

 

Not what I wanted to hear, but exactly what I expected to hear, after all.

I hope in future we will have the possibility to configure a "client only" as well as "server only" buil,d but have everything in one single project - this is way easier to maintain than separate projects which have to be compatible to each other.

Luckily I'm just doing a learning project for getting used to Unity a bit better, so it doesn't matter all that much right now - but it is good to think about for later projects.

 

I think that you can still maintain a single project if you leverage conditional compilation and toggle between client/server

 

Yup. You can use directives. Player settings has "scripting define symbols".

 

Thanks, good to know.