2

I'm working on a mobile game in Unity and I want to be able to identify my user without them logging in (so when they send data to the server I will know it's them).

In this specific case, the solution doesn't have to be data-loss proof (meaning it's not the end of the world if the user loses access to their data on the server), but I really want to avoid situations where users can access other users' data.

Here's what I thought of so far: When the user starts the game, a random ID is created and saved into PlayerPrefs. From there, the game takes that ID, adds to it the IP address of the user, and hashes it.

This hash is then sent to the server, and the server keeps in its data the hash as well as the IP address the request was sent from.

From now on, every request sent by the user to the server needs to be signed by the hash and come from this specific IP address. This means that if the user clears PlayerPrefs, uninstalls the game or changes device - they will lose access to their data on the server.

Do you think this will work, or is this impractical/insecure/inefficent?

Thanks in advance!

Clicksurfer
  • 126
  • 10

2 Answers2

4

You can identify device by its unique ID. Works for Android and iOS. (Documentation)

string deviceID = SystemInfo.deviceUniqueIdentifier;
kyle
  • 126
  • 1
  • 8
3

You cant take the IP because it changes a lot on a mobile phone, you need to stick to a random UUID generated when the app is installed, maybe you can add something like the MAC address of the Wifi adapter because that wont change... but if the user is on roaming or using the cellular network is a guess...

Remember that getting hardware identifiers are against the privacy procedures of many countries and companies, i'll stick to generating a random UUID for each app install

https://developer.android.com/training/articles/user-data-ids

Programmatically getting the MAC of an Android device

Chico3001
  • 1,853
  • 1
  • 22
  • 43
  • Thank you, this was a very useful answer. I have a follow-up question regarding this - Assuming I indeed use a random UUID generated upon app install, what would be the best way to authenticate such a user when he connects to the server (for the sake of argument, let's say the server is on Firebase)? What can I do to prevent hackers from trying to steal the UUID of other users or inserting random UUIDs into their query until they get someone else's data? – Clicksurfer Mar 13 '21 at 08:36
  • 1
    you cant... because the UUID is just a random value there is no guarantee that it will be unique, but firebase can generate its own uuid https://stackoverflow.com/questions/45995311/how-to-get-firebase-user-uuid – Chico3001 Mar 13 '21 at 16:54
  • From the same link you referenced: [**Don't work with MAC addresses**](https://developer.android.com/training/articles/user-data-ids#mac-addresses) ;) – derHugo Mar 13 '21 at 17:58