Applying Encrypt on a game that is already live and not yet using it



  • Hi Baroni,

    Years ago, when I released my game, I didn't enable the Encrypt in DB Manager. I did nothing to protect my game. My game soon has 500 000 downloads, and there is lots of hacking happening.

    I'm trying to do something about it by turning on Encrypt + moving to Server Side Receipt Validation since I have my own server.

    And also, I'm adding Unity Asset Store assets like Obfuscator + Anti Cheat Toolkit to the game.

    There is a warning on the manual:

    WARNING: Please be aware that our PlayerPrefs database implementation (DB Manager) may require a one-time-only setup of variables. If you change their values again in production (live) versions, you will have to implement some kind of data takeover for existing users of your app on your own. Otherwise you will risk possible data loss, resulting in dissatisfied customers.

    Does using the Encrypt affect this?

    I enabled the encrypt in DB Manager, typed 8 character Obfusc Key and run my game on the Editor. When I open the shop in the game, everything looks ok and when I check the Show Database I can see that the data stored in the device is encrypted like this:

    "2iH+c/kNWqXtpTk+FFKwhpNojKDcElBWfQr9q6jUKRfctQetExe14al40XF..."

    Now that I have the Encrypt enabled, will it break the IAP items from current players?

    So if I call DBManager.isPurchased is it going to work? If not, what do I need to do?



  • Hello Nadan,

    great to hear you're having success with your game!

    Yes, toggling encryption in live apps does corrupt the saved file. It obviously works without a previous save file, but will otherwise cause a Null Reference Exception when trying to read an existing, unencrypted file, as it cannot know whether the format is encrypted or not and fails parsing.

    The warning is specifically referring to this issue. You will need to add some data takeover method as written above. This depends on your game code - e.g. if your data string always contains the same unencrypted key, like "IAP", or just the "{" and "}" brackets at the beginning/end, you could check this and force the encryption once at game launch. Subsequent game launches would then try to parse the encrypted string.

    I am distancing myself from implementing a general data takeover scenario, since each game has different requirements and to avoid legal consequences.


Log in to reply