You can choose to either distribute your AssetBundles with your game or app, or they can be downloaded from remote servers by your game or app. In the latter case, when you download AssetBundles, it’s important to take precautions to prevent AssetBundle data corruption as well as attacks by malicious actors. A common cause of mysterious crashes on user devices comes from data corruption in downloaded AssetBundles. Such situations can cost a large amount of effort and time to diagnose and resolve. And, even though AssetBundles cannot contain executable code, changing serialized data could allow an attacker to exploit a vulnerability in the game code or the Unity runtime.
UnityWebRequestAssetBundle can be used to download and cache AssetBundles from the internet. When using this API you should use the HTTPS protocol in your URL, unless your URL refers to a local web server that runs on the same machine. The HTTP protocol is not secure and is vulnerable to a malicious man in the middle attack.
Unity provides the tools for you to use a checksum to determine that an AssetBundle is not corrupted or modified when downloading it. A 32-bit checksum is generated during the AssetBundle build process and recorded in the .manifest file and exposed by BuildPipeline.GetCRCForAssetBundle. When you use a CRC check, it ensures the AssetBundle data was not corrupted or tampered with after it was built. You must provide this CRC when downloading AssetBundles through UnityWebRequestAssetBundle.GetAssetBundle
so that invalid AssetBundles content cannot make it into the cache. See AssetBundle compression and caching for additional details.
If you download or distribute AssetBundles yourself, and do not use the built-in AssetBundle Cache, then you should be sure to perform integrity checks prior to using any content that you have retrieved. One way to do that is to use the optional parameters on the AssetBundle Load APIs to pass in the expected CRC value. When provided, the loading system calculates the checksum of the uncompressed content of the AssetBundle before loading it. If the CRC of the AssetBundle does not match the provided CRC, the AssetBundle will not load. For AssetBundles compressed with LZ4 this can be costly because it forces the file to be fully decompressed into RAM. For LZMA compressed AssetBundles the load already forces a full content decompression, so performing the CRC check is not a significant additional cost. Overall it can be practical to avoid the cost of CRC calculations by performing the integrity check once, as the file is retrieved and stored on the device, rather than repeating it at each load.
Note: If you are using AssetBundle compressionA method of storing data that reduces the amount of storage space it requires. See Texture Compression, Animation Compression, Audio Compression, Build Compression.
See in Glossary then you shouldn’t use other common hash algorithms (such as md5) to validate your AssetBundle files. This is because Unity sometimes recompresses your AssetBundles even if their contents didn’t change, which means the file content hash may change in cases when the contents of the file are actually still valid. In contrast, the CRC value for an AssetBundle is calculated from its uncompressed content, which remains constant even when the bundle is recompressed.
Note: the AssetBundle hash that a Unity build calculates and stores inside the .manifest is not a hash of the AssetBundle’s full file content. It can be used as a version value for the AssetBundle but is not suitable to use for file corruption detection.
If you allow users to upload content that is distributed to other players (User Generated Content), it is your responsibility to filter this data for inappropriate or malicious content. We do not recommend that you let users build and upload binary AssetBundle files. It is preferable to have your users upload their source assets and let you, the developer, build the AssetBundle binary file for them. This will make it easier for you to filter out malicious or inappropriate content through manual and automated processes. It also enables you to rebuild the AssetBundles as needed if you upgrade to a later Unity version.
Did you find this page useful? Please give it a rating:
Thanks for rating this page!
What kind of problem would you like to report?
Thanks for letting us know! This page has been marked for review based on your feedback.
If you have time, you can provide more information to help us fix the problem faster.
Provide more information
You've told us this page needs code samples. If you'd like to help us further, you could provide a code sample, or tell us about what kind of code sample you'd like to see:
You've told us there are code samples on this page which don't work. If you know how to fix it, or have something better we could use instead, please let us know:
You've told us there is information missing from this page. Please tell us more about what's missing:
You've told us there is incorrect information on this page. If you know what we should change to make it correct, please tell us:
You've told us this page has unclear or confusing information. Please tell us more about what you found unclear or confusing, or let us know how we could make it clearer:
You've told us there is a spelling or grammar error on this page. Please tell us what's wrong:
You've told us this page has a problem. Please tell us more about what's wrong:
Thank you for helping to make the Unity documentation better!
Your feedback has been submitted as a ticket for our documentation team to review.
We are not able to reply to every ticket submitted.
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
More information
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Some 3rd party video providers do not allow video views without targeting cookies. If you are experiencing difficulty viewing a video, you will need to set your cookie preferences for targeting to yes if you wish to view videos from these providers. Unity does not control this.
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.