AssetBundles can be distributed with your game build, but can also be downloaded from remote servers. When downloading AssetBundles, you should take precaution to prevent AssetBundle data corruption as well as attacks by malicious actors. Even though AssetBundles cannot contain executable code, changing serialized data could allow an attacker to exploit a vulnerability in the game code or the Unity runtime.
UnityWebRequestAssetBundle can be used to download and cache AssetBundles from the internet. When using this API you should use the HTTPS protocol in your URL, unless your URL refers to a local web server that runs on the same machine. The HTTP protocol is not secure and is vulnerable to a malicious man in the middle attack.
A 32-bit checksum is generated during the AssetBundle build process. When you provide this CRC through the AssetBundle loading APIs, the loading system calculates the checksum of the AssetBundle before loading it. If the CRC of the AssetBundle does not match the provided CRC, the AssetBundle will not load. Checking the CRC ensures the AssetBundle data was not corrupted or tampered with after it was built.
If you allow users to upload content that is distributed to other players (User Generated Content), it is your responsibility to filter this data for inappropriate or malicious content. We do not recommend that you let users build and upload binary AssetBundle files. It is preferable to have your users upload their source assets and let you, the developer, build the AssetBundle binary file for them. This will make it easier for you to filter out malicious or inappropriate content through manual and automated processes. It also enables you to rebuild the AssetBundles as needed if you upgrade to a later Unity version.
Did you find this page useful? Please give it a rating:
Thanks for rating this page!
What kind of problem would you like to report?
Thanks for letting us know! This page has been marked for review based on your feedback.
If you have time, you can provide more information to help us fix the problem faster.
Provide more information
You've told us this page needs code samples. If you'd like to help us further, you could provide a code sample, or tell us about what kind of code sample you'd like to see:
You've told us there are code samples on this page which don't work. If you know how to fix it, or have something better we could use instead, please let us know:
You've told us there is information missing from this page. Please tell us more about what's missing:
You've told us there is incorrect information on this page. If you know what we should change to make it correct, please tell us:
You've told us this page has unclear or confusing information. Please tell us more about what you found unclear or confusing, or let us know how we could make it clearer:
You've told us there is a spelling or grammar error on this page. Please tell us what's wrong:
You've told us this page has a problem. Please tell us more about what's wrong:
Thank you for helping to make the Unity documentation better!
Your feedback has been submitted as a ticket for our documentation team to review.
We are not able to reply to every ticket submitted.