#begin

Some time ago I wrote a Unity3D plugin to use the LastPass password manager in the editor and at runtime. I have not written or published anything about it yet, so I might as well write a blog post about it. So in this blog I will take you through the process of writing this LastPass-Unity plugin, what triggered me to write it, choices I made in the design and how to use it in your project. I wrote quite a comprehensive README file which I think should be sufficient so I will be referring back to it quite a lot in this post I think.

Rationale

There have been many projects I worked on, or are working on, where the Unity3D app needs to connect to some backend. These backends often require passwords, which are randomly generated for security purposes. Now, remembering one or two of these passwords is easy, but when you are working on multiple projects, with multiple users (with different access rights) per backend, the number of passwords I need to remember is to much.

So, as any sane person, I use some password manager to keep these passwords in a centralized place so I only need to remember one. The password manager I use is called LastPass and it works perfectly well in it’s supported environments like webpages and some native mobile apps. However, the Unity3D input fields are not recognized by the LastPass app, and thus, cannot be filled with the desired credentials. So what you end up doing is copy pasting the credentials from the LastPass “vault” to your windows app, or if on mobile, you will need to type them yourself (which can be really annoying when you have a 16 character randomly generated password).

With LastPass-Unity you are able to use access your LastPass vault straight from the Unity3D editor and it is supported for Linux, Windows (10), MacOS, Android and iOS (experimental). When I started to write this I thought it wouldn’t cost me that much time, but I encountered some issues rather quickly.

How to access LastPass?

Yeah, that was the first question I needed to answer. I quickly found out, LastPass does not offer a public API. There is however, a library on GitHub called LastPassSharp that offers access to the vault. It is an unofficial API, but I took my chances. It works perfectly well, although it is rather slow since everything is run on the main thread, the requests, decryption, everything. I made some changes to the library to support threading in a “unity safe” manner, meaning; I added some callback logic to enter the One-Time-Passcode (OTP), or show status updates which must run on the main thread or Unity will start complaining. To do this I implemented a “dispatcher” which just implements a simple queue you can add lambda’s to, and when an item is dequeued it is run on the main thread. So now I can run the HTTP requests and decryption on another thread, and fire the callbacks through my dispatcher.

Now, still, using this unofficial API did not feel right. There must be some cleaner solution to the access problem. Then I found out about the lastpass-cli which is a simple CLI tool to access everything in your LastPass account. So, I set out to create some C# interface around it. The problem here however is: installing the CLI, is highly platform dependent and not accessible on mobile platforms… My first thought was to just skip this, which I did, because I wanted to get a proof of concept running first (by just using the LastPassSharp library).

The Master (password) problem.

Although I quickly got a proof of concept to work, I had one major problem to solve: where to persist the LastPass master password? The “master password” is the password that unlocks your password vault and allows you to see the credentials in plain text. I needed a way to persist this password safely because, if the master password is compromised, all passwords are compromised. Now, usually I will store things like this in the Unity PlayerPrefs or on the PersistentDataPath. However, in this case I do not like this solution because these “places” are protected/internal to the specific app you are using. So if you want to use the LastPass plugin in multiple projects, you need to login multiple times since the storage of the master password is local to the app. Then still, saving this master password in one of these area’s did not feel right since it is not secure enough so I searched for a better solution.

I quickly gravitated towards a solution I use on my OS (linux), the keychain… However, there are no C# libraries that allow access to the keychain so, I needed to write this myself. I wrote an abstraction that starts a terminal window and runs one, or multiple commands and then returns the output. This worked nicely so now I could save the master password in a safe spot, native to my OS, Linux.

How am I going to do this on windows? I needed something similar for Windows, and fortunately Windows has something called the “Credential Manager”. I quickly found a package on Nuget that allows access to the credential manager so my problems for windows were solved pretty easily. Then however, MacOS remained, yet I do not own any Apple hardware. So I had to go through all the trouble of setting up a MacOS virtual machine. This was quite a horrible experience but I managed to get multiple versions on MacOS running in virtual box. It did not take much time to get access to the security CLI as I did for linux, so I solved the problem of storing the master password in a secure place on all platforms I wanted.

LastPass-CLI

Implementing the master password storage across multiple platforms gave me some more insight in how to implement the lastpass-cli, so I chose to have another look at it. I first started with Linux since it is my primary OS and the implementation was done without major issues. Everything worked out as expected. Another little bonus is that the CLI is quite a bit faster than the LastPassSharp library I was using. However, there is one major problem with this approach: The user needs to install the LastPass-CLI tool. I added some options in my unity editor window to automate the installation, yet the fact remains that the end user, the actual player of your game, still has to install the cli tool in order for it to be accessible at run-time. I do not yet have a solution for this, maybe when people start asking for it, I will implement a way to fully automate it and make it install in an offthread.

Next, I implemented it for Windows. A problem here however was that the lastpass-cli was only accessible for linux based systems, but there were options to install it under Cygwin. This did not feel right so I searched for another option and discovered that I could use the Ubuntu sub-system in Windows 10. This seems to be the cleanest solution for now, however the LastPass-Unity plugin is now dependent on the subsystem. Yet, there is no other practical option to get the cli running under windows, so it is the best I have got. Lastly, there was MacOS. The LastPass-CLI docs say that the easiest way to install the cli is through brew. So, I tried to install the CLI through brew, and then found out brew was not even pre-installed on a mac. I did not know this (haha) I thought brew came pre-installed with MacOS. So I needed to detect if brew was installed, if not, install it, and then install the lastpass-cli. After finally fully automating the brew installation I found out that I was running a version of MacOs (High Sierra) which the lastpass-cli did not support… The forums suggested people should upgrade to Catalina… So I had to go through that dreaded VM installation process again. When I finally got that running again, support for MacOS was implemented quickly. However, High Sierra is unsupported for now, and probably older versions too.

Android Support

Next I needed to find a solution to store the master password on Android. I expected there would be a keychain like system for android too, but I was quickly disapointed. Android has native systems for encryption, a system called KeyStore, and a system called the Shared Preferences, which are suggested to use to implement a keychain like system. The idea is to use the keystore to generate encryption keys and then store the result of the encrypted value in the shared preferences of the Android OS. This is exactly what I needed so I created a simple Unity3D compatible android library that would allow me save the master password for android. You can check the android library out here and the Unity Plugin here. The Unity plugin simply offers a facade class to access the android library.

iOS Support

Since I do not own any Apple hardware it is quite difficult to write, let alone test, software that is supposed to run on iOS. Fortunately, I found a Unity3D plugin that does exactly what I need, this one. I added it to my repo, added a facade class for it and called it a day. I have no way of testing this properly, but I expect bugs to be filed in this regard… sadly..

How to use LastPass-Unity?

First, you need to pull my project either as a submodule, or simply download the .zip file and extract it in your project. Next, you follow the steps in the README. It will guide you through the installation process of the plugin depending of your platform. As I said, I’m not a fan of being dependent on the Ubuntu subsystem for windows but if feature requests come in, I will definitely take another look at it. I have some ideas on how to automate the installation but I’ve not yet started on this.

When the installation has succeeded you need to generate what I call the LastPass Config file, which is a ScriptableObject (SO). This config keeps some parameters for the plugin to use like; use the CLI or the LastPassSharp library. If you choose not to use the CLI, you will not be required to install it, which saves you the trouble of installing the Ubuntu subsytem ;). It also keeps track of some important prefabs that are used while logging in, Second Factor Authentication, suggesting passwords to users and flagging the software as trusted to LastPass.

Another important aspect of the config SO is that it holds some filters. These filters are used to check whether passwords in the LastPass vault should be used in the app. So, do not forget to add your backend url(s) to the filters. When a login is successful, the used email address is automatically added to the filters for next use, so you only ever have to login once!

When both the installation and config setup are successful you are able to login to lastpass from the editor window. This will make sure LastPass-Unity is always logged in when you are testing your game, which will save you the trouble of copy pasting all those passwords. This will save you a lot of time :).

LastPass-Unity comes with some pre-defined prefabs which included a prefab called the Form. This Form is the default login prefab for LastPass-Unity. When you select either the username or password fields you will be prompted with the suggested passwords that match the filters you defined in the config.

Conclusion

With this blog post I wanted to write something about the journey of building this Unity3D plugin. More in depth details about the LastPass-Unity plugin can be found here. When I started to write this plugin I thought it would be done rather quickly, because, let’s be honest, it’s not rocket science to show some popups with strings to use in an app. I quickly found out that it would be different but I wanted to get everything to work. I spend a lot of time to get everything working on all the different platforms. I’ve learned a great deal from conjuring all the CLI magic and writing this native android plugin. I wrote a native plugin before, a long time ago, so it was nice to refresh my knowledge.

I hope, after you read this, you will give my plugin a try and use it in your future projects.

Thanks!

#end

01010010 01110101 01100010 01100101 01101110

Hey, sorry to bother you but you can subscribe to my blog here.

Never miss a blog post!

You have Successfully Subscribed!