post-thumb

How to protect your Unity game from being hacked?

No one can ensure games to be completely safe. What we can do is to make games become hard and challenging to hack. 

This tutorial will provide some tips to protect your Unity games from being hacked.

Obfuscate Your Codes

For Android Game built by Unity with Ill2cpp mode, your must obfuscate your code.

Although some said this is just to make your code hard to read, I think this is a necessary approach to prevent your game codes from being revealed to the public in plaintext. 

However, I won’t recommend you obfuscate all of your codes including all the classes because this may lead to performance issues or application crashes. 

It is better to obfuscate some codes that expose secrets, server URLs, or business logic.

but how to obfuscate Android Game using Unity?

You can take a look at the following plugin on Unity Asset Store.


Obfuscator

Feature:

  • Supports IL2CPP

  • Supports to renames Classes, Methods, Parameters, Fields, and Properties.

  • Supports multiple platforms:

    Build targets include Standalone, Android, iOS, WebGL, UWP.

Download Obfuscator:

Analysis:

This plugin allows you to obfuscate your codes on different platforms. It can save your time to implement obfuscation and protect your game codes.


After obfuscating your codes, how to validate your APK file?

Refer to this - How to reverse engineering for Android Game in APK file built by Unity?

Obfuscator Pro

Feature:

  • Member Renaming:
    • Namespaces
    • Classes (also MonoBehaviour and ScriptableObject subclasses)
    • Methods
    • Fields
    • Properties
    • Event
  • String obfuscation
  • Adding random code
  • Anti debugging

Download Obfuscator Pro:

Analysis:

This plugin provides Obfuscation for different types of properties and additional features including random code and Anti debugging.


Move Business Logic to the Server

Don’t implement important business logic on the client side. 

For instance, you implement a simulation game. You need to give players coins after they win a game. To calculate how many coins to give players based on player’s properties should be implemented on the server-side instead of the client-side. Because it is very easy to change it.


Validate Client’s requests

Don’t trust clients, always validate client’s requests by signature on the server. Validate request parameter is valid or not.


You might be interested in

How to implement Singed Cookies in Unity with CloudFront?

How to reverse engineer C# and Unity3D Games?