Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Are there not Security issues using [Command] & [ClientRPC]?

Discussion in 'Multiplayer' started by Piesk, Feb 22, 2017.

  1. Piesk

    Piesk

    Joined:
    Sep 23, 2013
    Posts:
    14
    So I'm new to networking, I've done a fair amount of research into Unity's multiplayer system and understand how to use Commands and RPC's. My concern is that all of this code is on the clients machine, if it's a client it runs the RPC code and if it's the server it runs the Command code, but if a hostile client were to decompile the code could they not simply alter this just like any other code so that they can manipulate code that should only be run on the server?

    Please correct me If I'm wrong as it would make my life a lot easier in terms of current development. Trying to figure out how to proceed with my current project up until the point that the stand alone simulation server is released.
     
  2. LukeDawn

    LukeDawn

    Joined:
    Nov 10, 2016
    Posts:
    403
    The client could easily be hostile. Whilst the client should never be trusted, you can also go to such great lengths to avoid cheating, that you bog the game down for all players. It's a trade off. How will cheating impact the game? If only 1% of players are cheats, and they only cheat 1% of the time, is it really worth spending a lot of time and effort to catch them out, when your player base might draw cheaters to your attention in forums or elsewhere?

    I don't believe there are any wrong answers to this one.
     
  3. Piesk

    Piesk

    Joined:
    Sep 23, 2013
    Posts:
    14
    It is important when there are IAP's involved definitely. I'm looking to create an authoritative server. But this issue seems to negate the point of it?
     
  4. TheDigitalDev

    TheDigitalDev

    Joined:
    Dec 4, 2012
    Posts:
    8
    I would think so, that's why I switched from using the HLAPI to the LLAPI. Instead of the hardwired mess that is the HLAPI, you can have way more control with LLAPI.
     
  5. donnysobonny

    donnysobonny

    Joined:
    Jan 24, 2013
    Posts:
    220
    So the topic of security in networking is one that can lead to a lot of depth, but to talk briefly about the question that you have posted:

    This isn't, in theory, possible. Ideally, your "server" will be a managed application that you run on a server, and manage yourself. This means that no-one but you has the ability to access the code that makes up the server-part of your game. You are right though that the client code can be de-compiled and messed with, however this does not effect your server-side in any way. By tweaking the RPC in the client-code, all the hacker will be doing is changing what happens in their own client when they run the game. The server itself will not change.

    The important thing here is not to allow client RPCs or requests originating from the client to have too much control. A great example of this is if you were to allow a client to make a request such as "do X damage to Y", as you've stated, the client could manipulate the code to make "X" any value that they wish. The key here is to limit the client side to only be able to request "do damage", and have the server side know what X and Y is.

    As mentioned already, the tricky thing here is the more secure you want to make things, the more complex your whole solution becomes. Using the example above, implementing a client RPC to "do X damage to Y" would be very simple. Where as implementing "do damage" requires that the server knows what X is (how much damage the client can deal), and who Y is (the target). So ultimately it comes down to how important it is that your game is secure.

    Hopefully this helps!
     
  6. or113

    or113

    Joined:
    Nov 5, 2016
    Posts:
    41
    I had the same question here.
    Basically you can use custom regions and then compile your client version without the server side code.
    Coming from the web development - this is the exact same thing as having the js/css/html code on the client(and the client can mess it up) but the client can't see the server logic at all.
     
    Last edited: Feb 26, 2017
  7. angusmf

    angusmf

    Joined:
    Jan 19, 2015
    Posts:
    261
    Pretty much repeating the above. The fact that the server side code for networking Commands and RPCs (and messages) would be in your client code is not a huge issue as long as only the server can really affect your game world. If knowing how your server code is implemented helps someone hack it, I suppose you've done something wrong anyway.

    The security issue I see with ClientRPCs (and syncvars and their hooks) is more the fact that you can't control who they are sent to. If you try to handle that in the code that runs on the client by using something like a user mutex, you are open to being hacked because the client could just ignore your mutex. By the same token, you shouldn't rely on the client code to tell your Commands who they are being sent from. Always determine this based on the connection and you should be fine.