How can I do this? I have made an online turn based strategy game where a user gets a JSON api from the server (battle states basically), if I store these inside of a realtime created file for each battle, the user can send it over to me to watch that replay.
What I would basically like to do is store lots of JSON’s (or texts) in 1 file, with a custom file extension or encryption so people with right click → open with notepad cannot read it.
I would probably need the encryption key most likely to then import that file in my own client and watch the replay.
Is there some sort of existing guide or solution on this?
I mean, saving the file extension as something different is easy enough. But why the need for the encryption key? Is there some reason you care if they open it?
Yes, there’s a field or two I would like not to be seen by the users, because with these responses they would be able to tinker and try to figure out how they could send fabricated requests to the server, and there’s a field that needs to be hidden because of game reasons, if someone were to be able to catch these JSON’s while ingame, they could take a look at it to gain an advantage in the game during their own turn (for example data can tell the client to hide a player’s visibility, but the json api still shows their coordinates). I mean you could do this with software that scans the incoming and outgoing JSON’s of an application, but still Id like to make it as difficult as possible to slow them down.
Honestly, I feel like it would be better to set up a server side solution, but I understand that may not be as easy a solution.
The problem is, anything can be cracked if it’s client side. So depending on how important those pieces of info are, you’re still going to risk it if it’s available on a clients machine. And anybody with enough reason to do so, is going to find a way.
You could also just never save to the users device. Keep info in memory or send it to the server. Done correctly and it will still reduce the players chance to access the data.
Otherwise, you’ll need to look into some sort of c# encryption. I once used one ages ago just for a leaderboard, but I realized it wasn’t needed and that was a long time ago.
You could use something like Flatbuffer as well which would obfuscate the data a bit.
I have used Flatbuffers more for the speed of accessing the data, but it’s not as human readable. However, again, it wouldn’t stop the determined people.
As someone who has had similar problems in the past I can tell you that no amount of client side shenanigans will spare you the bitter truth that someone will do exactly that. It’s only a matter of time. If you have a lot of players (or if the stakes are high) it happens fast. You are better off assuming your API is public from the start. Now whenever I do an API I start with the mindest of: “How do you prevent them from cheating even if they have access to the API?”
For me the only permanent solution I have found (except for having it all on the server) was to truly validate the data on the server before saving it. To make this happen I tracked their input on the client and sent that together with the actual data. Then the server does some (very rudimentary) plausibility tests. It can still be faked but it is hard.
Another interesting observation I made: If you have any kind of resource in your game then players won’t even bother with editing your savegame. They will just boot up CheatEngine and edit the values in RAM at runtime. I found that out once a “player” posted a youtube video doing this to my game. It’s so easy to do (2 clicks).
In the end if you are not controlling the client then it’s all just security by obscurity. The question is, how much time and effort are you willing to spend. Maybe a “report cheater” button would suffice. Maybe you need to simulate the whole game on the server. Who knows.
Saving the replays on the servers is easy but I’m afraid it will take up too much database space, I wanted to do it like league of legends where they store the replays clientside.
Thanks I’ll look into that
Yes I know all of this, I have a ton of validations already… but that’s not what this topic is about, it’s just that there’s 1 field I’d rather not have them see, but them seeing isn’t a big of a deal. All the important parts are being heavily validated in the server, I don’t trust any user input