No announcement yet.

How secure is the default SaveGame feature?

  • Filter
  • Time
  • Show
Clear All
new posts

    How secure is the default SaveGame feature?

    I was looking at the SaveGame feature of UE4 recently, and thought it was really cool and useful, but how safe is it?

    What kind of file does it save, and how easy is it for people to tinker with that file in order to cheat?

    Are there any special considerations to make my save files "hack-proof"?

    It doesnt encrypt a thing, and, in fact, it even writes the actual name of the properties in ascii if used with blueprint variables. Mine is a very simple one with 2 variables, and its something like header, then UE4, then some data, then DWScoreSave_c (name of my class) then BestScore(name of my property) some data, then FloatProperty, then some more data. Its extremelly easy to modify and cause havoc.
    I guess you could try modifying the serialization functions so its encrypted, or, easier, add a hash. For example, in my case i have 2 scores, so i could write a 3rd variable that is a hash from those 2, then, when i load, i check that is valid, and if it isnt, i know its been tampered with, but its still a lost cause, if people want, they will probably crack it anyway.
    UDK and UE4 programmer and Unreal engine 4 betatester. Currently working on commercial VR games for PSVR.
    Deep knowlegde of C++ and blueprints. Open to freelance work.
    Games released, Deathwave(Steam), VRMultigames(Steam), DWVR(Steam,Oculus,PSVR):


      Yeah, I wouldn't worry about spending a ton of time implementing some wild encryption component. For some people part of the fun is "cheating" / bypassing rules. Now that usually goes out of the window when we involve other players. At that point you'd have a server at your will.
      Twitch | Twitter | Frosted Citadel Entertainment


        We used the SaveGame system for a while, but in the end we just dropped it and went with a custom system. The default saving API has wildly unpredictable behavior when your code evolves, basically don't hope to load an existing save after changing a field from "int" to "float" - or from "unsigned int" to "int". Or removing a field. We switched to a JSON save system mostly to be able to load old game saves.
        Helium Rain, a realistic space opera


          Encrypting your save games is wasted effort for single player games.

          Those who want to cheat will cheat, remember your game must decrypt whatever format you put your saved game in, and if your game can do it a player can do it with some grim determination and a debugger. Spend your time on good gameplay instead, and maybe bundle some modding tools, do the opposite and encourage people to mess with the game.

          Multiplayer is a whole different kettle of fish, best handled by making the server side completely authoritative to prevent cheating.

          Have fun!
 | In Production: Wheelbase | Released: Mr Boom's Firework Factory