3

In a nutshell, my project consists of:

  • A secure RESTful API web service (hosted on Heroku), handling requests/responses for a database. It accepts & returns JSON data
  • A Unity desktop application, which doubles as a Twitch API chat bot, and communicates with the webservice to update the state of the game, as well as the state of the database.
    • IMPORTANT: This game is meant to be run by Twitch streamers, and played by users in Twitch chat

So my question is... Even though my web service is secure, what can I do to ensure that someone won't simply reverse engineer my Unity application to figure out how to properly communicate with my web server?

Encrypted HTTP traffic stops packet sniffing, but is a moot service if you can still use the same methods the application uses to interact with the data. Perhaps I'm being too paranoid, but there are plenty of tools out there that specifically target Unity & C# projects, so it really wouldn't take much effort.

One idea I had was to use the Twitch API to check if the user is actively streaming the game, and only allow them to start the game if the web service can't find a duplicate IP address in the database with an "isStreaming" flag set. This works in theory... but in practice, anyone can set up a fake Twitch account and a fake or "blank" stream on their machine, and then run some reverse-engineered code from the game.

Is there anything else I could do to minimize a hacker's ability to interact with my database?

RectangleEquals
  • 1,825
  • 2
  • 25
  • 44

1 Answers1

3

The Simple Answer

  • Unity-compatible Code Obfuscation

Thanks to Unity's plugin system, there are actually some decent options for this. Some are paid options that exist in the Asset Store, as well as some 3rd party paid/free options that are simply unrelated to Unity (but could still work). Some of the free options, such as ConfuserEx, are also open source, allowing you to make custom code changes to how your work can be obfuscated.


The More Complex Answer

  • I made a simple C# Class Library and filled it with some pointless functionality (for testing)
  • I compiled a release build of the library
  • I obfuscated it through ConfuserEx using Aggressive settings (Maximum settings had Unity spitting out Invalid IL code errors)
  • I added an Assets/Plugins folder to my Unity project, and placed the compiled library there
  • I created a new C# script to test the library from within Unity

... And although the decompiled code was unintelligible, it still worked as expected within Unity. I used an IL/C# decompiler tool (such as JustDecompile) to compare the differences between the obfuscated binary and the original binary.

So if I really wanted to, I could follow these very same steps for all of my important bits of code (or even for the majority of my client project), as well as implementing any aforementioned security measures... And so hopefully, it's now going to be too much of a chore for anyone to understand the inner-workings of my project.

RectangleEquals
  • 1,825
  • 2
  • 25
  • 44