Hello, I'm a web developer.
I am developing a game API server this time, and I have a question about security when communicating with http.
You want to prevent the Unity client from tampering with the value passed to http communication.
For example,
When sending two values: money=100, exp=100 to the server,
hmac (100+100+secret_key) You want to verify by sending the value created like this together as a parameter.
(User verification is done by token value verification after login.We excluded it from the example above.)
The problem is that when the client source code is decompiled, the way it behaves and secret_key is exposed If an attacker maliciously creates an http call and sends it, the server will not know if the value is a normal call.
In this case, there is a client source code obfuscation set, so can this be resolved?
You know how to encrypt values and how encryption works on the source code, so if it's not obfuscated
I don't think it's meaningful.
I don't know if I should just obfuscate the client.I'm curious.
Also, I would appreciate it if you could recommend UNI.T Obfuscation Asset. Bows.
unity http api security hmac
Vulnerabilities such as questions are Cross Site Request Forger (CSRF).
Typically, when a client requests an input form, the server sends a Verification Tokens and when the client submits, the verification Tokens received from the server are submitted together for verification.
Verification Tokens is a string created in random form on the server, so it is a secure communication because the attacker cannot identify it.
You said you use sec key for questions, so it looks like Verification Tokens. Using Verification Tokens is a protection against Cross Site Request Forger.
http is a very simple protocol. Whether money=100 and exp=100 are valid (normal) values must be checked separately by the server.
© 2024 OneMinuteCode. All rights reserved.