I'm making a mobile online game with Unity. Just like other online games, there is a login screen for entering an ID/password with TMP_InputField from TextMesh Pro. The password input field is covered with asterisks, but the value of the input field still contains the password string, so what if a hacker or malware takes this data? Is the input field secure enough? Or do I need to strengthen security in other ways?
Thanks
Well you could mimic WPF apps where PasswordBox was placed in the GUI with SecureString as the data structure. SecureString isn't perfect however, it merely shortens the time the decrypted string is accessible in memory (as opposed to a regular string which is subject to a unpredictable GC event).
Obviously you can't use WPF controls but you could easily create your own control using whichever Unity UI framework your prefer.
Note that in .NET 5+ (though from a Unity perspective technically doesn't apply) SecureString has a not recommended warning whose detail is covered here. However the debate over whether it's a good idea to deal with credentials in any app arguably still applies to Unity.
Generally the best security is when the application does not deal with usernames and passwords1.
e.g.
Signing into GDK in Unity (sample courtesy of GDK):
// Look ma, no need for passwords!
XUserAddOptions options = XUserAddOptions.AddDefaultUserAllowingUI;
SDK.XUserAddAsync(options, AddUserComplete);
private void AddUserComplete(int hresult, XUserHandle userHandle)
{
if (!Succeeded(hresult, "Sign in."))
{
return;
}
_userHandle = userHandle;
CompletePostSignInInitialization();
}
1 DE0001: SecureString shouldn't be used