Should QA test the protected build or the normal Unity build?

QA should test both, but release approval must include the protected build. Obfuscation, stripping, anti-tamper, signing, and runtime checks can change behavior.

What is the most common protected-build failure?

Reflection and serialization issues are common. JSON payload names, Unity serialized fields, animation events, UI callbacks, and third-party plugins may depend on names that protection changes.

Should testers try to reverse engineer the build?

Yes, at least at a practical level. Open the protected artifact with common tools and verify that sensitive names, strings, debug symbols, endpoints, and test features are not easy to find.

How should anti-tamper failures be tested?

Use controlled tamper cases such as changed files, modified certificates, injected libraries, edited saves, proxy traffic, and debugger attachment. Verify both client behavior and backend logging.

Can a protected build be tested fully offline?

Only partly. Offline tests can validate local behavior, but licensing, receipts, integrity verdicts, replay checks, telemetry, and ban-risk decisions need backend staging tests.

Should release gates block on every security signal?

No. Block on high-confidence failures that create real risk. Low-confidence signals should usually log, reduce trust, ask the backend, or trigger extra checks.

How to test a protected Unity build before release

A protected Unity build is not just your game plus a security checkbox. It is a different artifact. Code may be renamed, strings may be encoded, control flow may change, files may be signed, saves may be protected, runtime detectors may be active, and the backend may receive new trust signals.

That means the final security test must run against the same build your players will receive. If QA signs off on an unprotected build and protection is added later, you have tested the wrong artifact.

Start with a release threat model

Before testing, decide what the protected build is supposed to defend. A single-player premium game, a mobile free-to-play game, and a competitive multiplayer game do not have the same risk profile.

Write the release threat model in practical language:

Which code paths must be hard to reverse engineer?
Which values must be protected at runtime?
Which files or assets must not be modified silently?
Which server actions must never trust the client?
Which suspicious signals block play, limit rewards, or only log?

This keeps testing focused. You are not proving the build is impossible to attack. You are proving that known attack paths are no longer cheap, silent, or trusted.

Build the exact artifact players receive

Test the final build pipeline, not a local shortcut. For Android this means the same AAB or APK signing path. For PC it means the same release folder, symbols policy, installer, and upload pipeline. For IL2CPP it means the same stripping level and target architecture.

release-matrix.txt

1Artifact:

2- Unity version and scripting backend

3- Mono or IL2CPP

4- Managed stripping level

5- Obfuscator profile and mapping file location

6- Anti-cheat profile and response policy

7- Build number, git commit, and content manifest

8- Signing certificate or store signing track

9- Backend environment and API version

11Rule:

12Only this artifact can pass release security QA.

Keep the mapping file private and attach it to your internal release record. Do not put it in the installer, APK, public symbols archive, or customer support bundle.

Run a static reverse-engineering review

Static review checks what an attacker can learn before running the game. Use common tooling for your platform: decompilers for managed assemblies, binary string scanners, APK analyzers, asset inspection tools, and symbol checks.

static-review-checklist.txt

1Look for:

2- Readable class and method names in managed assemblies

3- Important strings such as endpoints, feature flags, product IDs, and test routes

4- Debug symbols, PDB files, development build flags, and verbose logs

5- Unused admin menus, QA shortcuts, staging URLs, or cheat commands

6- Plain save keys, encryption keys, API secrets, and signing material

7- Asset bundles or config files that can be edited without detection

A healthy protected build should not expose obvious method names like ValidateLicense, AddGems, IsPremiumUnlocked, or SubmitMatchResult. If a tester can find the key business logic with a simple text search, the build is not ready.

Tools such as Obfuscator help reduce this readable surface, but static review is still useful. It verifies the chosen profile, exclusions, and build pipeline worked on the final artifact.

Test Unity reflection and serialization paths

Many protected-build bugs come from names. Unity and third-party systems may find classes, methods, fields, or properties by name. Obfuscation can safely rename many things, but not every name can move.

Run smoke tests for systems that depend on stable names:

Scenes, prefabs, ScriptableObjects, and serialized fields.
Animation events, Timeline signals, UI button callbacks, and SendMessage.
JSON, XML, cloud saves, analytics payloads, and server DTOs.
Dependency injection, modding APIs, addressables, and plugin callbacks.
IL2CPP stripping rules, link.xml, and reflection-heavy SDKs.

SerializationSmokeTest.cs

1[Serializable]

2public sealed class ReceiptPayload

4 public string productId;

5 public string transactionId;

6 public long purchasedAt;

9// Release test:

10// 1. Load an old save.

11// 2. Deserialize a real backend payload.

12// 3. Submit a purchase receipt in staging.

13// 4. Confirm field names still match the contract.

If a field name is part of a file format or network contract, either exclude it from renaming or use explicit serialized names. Do not rely on hope here. Test old data, new data, failed data, and version migration.

Test runtime tamper behavior

Runtime protection should be tested with controlled attacks. The goal is to confirm that the game detects or resists suspicious conditions without creating a false-positive disaster for normal players.

Useful tamper cases include:

Attach a debugger or run with known instrumentation tools.
Edit protected values such as health, premium currency, speed, or cooldowns.
Modify save files, roll saves back, copy saves between accounts, or edit PlayerPrefs.
Change local time, freeze timers, and test offline reward windows.
Replace assets, change bundle hashes, or remove important files.
Proxy API traffic and replay old reward or purchase requests.

For each test, record the expected client action and backend action. A clear anti-cheat signal may close the game. A lower-confidence signal may only log, reduce trust, or ask the backend to limit rewards. Products like Anti-Cheat are most useful when their response policy is tested with real gameplay flows.

Verify backend trust decisions

A protected client can still be modified. Important decisions should reach a backend that validates account state, ownership, timing, replay resistance, receipts, and entitlement. The protected build should send useful signals, but the backend should not blindly trust those signals.

trust-decision.json

2 "buildId": "2026.06.07.4812",

3 "platform": "android",

4 "signatureTrusted": true,

5 "integrityVerdict": "MEETS_DEVICE_INTEGRITY",

6 "debuggerDetected": false,

7 "tamperSignals": [],

8 "requestNonce": "server-issued-one-time-value"

Use staging tests to make sure invalid trust signals actually change server behavior. For example, a suspicious build may be allowed to open menus, but blocked from claiming purchases, ranked rewards, trading, or competitive matchmaking.

Check telemetry and support workflows

Security without observability is hard to operate. Before release, check that protected-build events are visible to your team and safe for player privacy. Logs should help you answer what happened without collecting more data than needed.

At minimum, confirm that you can see:

Build ID, platform, app version, and protection profile.
Integrity, certificate, install-source, and tamper signals.
Backend decision results for blocked or limited actions.
Crash reports decoded with the private mapping file.
False-positive review fields for support and appeals.

Also test your support path. If a protection layer blocks an honest player because of a rooted device, broken store install, old build, or corrupted file, support needs enough information to understand the case.

Define release gates

Finish with release gates. A release gate is a simple rule that says what blocks launch. Without gates, teams often discover issues and still ship because the risk is unclear.

security-release-gates.txt

1Block release if:

2- Protected build cannot complete main progression on any target platform

3- Purchase, receipt, login, or save migration fails after protection

4- Sensitive code names or test endpoints are visible in the release artifact

5- Debug symbols or mapping files are included in public packages

6- High-confidence tamper cases are not logged or handled

7- Backend accepts forged final truth for rewards, balance, rank, or inventory

9Allow release with monitoring if:

10- Signal is low confidence

11- Player impact is limited

12- Backend can reduce trust without blocking honest play

13- Support and telemetry can identify the issue quickly

A protected Unity build is ready when it still plays correctly, exposes less useful information, responds safely to tampering, and gives your backend enough context to make trust decisions. That is the standard to test before release.

Do

Test the final protected, signed, store-ready artifact on real target devices.
Run static review, runtime tamper tests, reflection/serialization smoke tests, and backend trust tests before release.
Define clear release gates so the team knows which security failures block launch.

Don't

Do not approve release based only on an unprotected development build.
Do not publish mapping files, debug symbols, test endpoints, or telemetry secrets with the build.
Do not hard-fail honest players on low-confidence signals without a grace path or server decision.