Hello, I’m making a small mobile game and I’m currently implementing google services leaderboards and achievements. Since the leaderboard is “multiplayer” I think it’s pretty important that the player shouldn’t be able to change the save file to give themselves a massive highscore and become number 1 in the leaderboard. The game should be able to be played without an internet connection too. Right now I’m using a serializable class and a Binary formatter, which I’ve heard is very easy ro modify. How can encrypt the save files? Thanks to anyone who responds!
You should not be using binary formatter. It’s unsafe and leaves your program open to security risks.
The only sure fire way is to store your save data on your own server, not on the user’s device. Once it’s on their device, you have no control over what can be done with it.
3 Likes
https://www.c-sharpcorner.com/article/encryption-and-decryption-using-a-symmetric-key-in-c-sharp/
Just be aware that this won’t be helpful at all. There are at least three trivial ways to break this: decompile and extract the encryption key, decompile and modify the code to bypass the encryption, and use cheat engine to modify the value directly before it even reaches the save code.
Like @spiney199 mentioned you need a server for validation. Without it your game is wide open to cheating. If you can’t afford a server just remove the leaderboard or restrict it to the device its on.
1 Like
If you’re concerned about the user ‘hacking your save files,’ or ‘cheating in your game,’ which is playing on their computer, just don’t be. There’s nothing you can do about it. Nothing is secure, it is not your computer, it is the user’s computer. If it must be secure, store it on your own server and have the user connect to download it.
Anything else is a waste of your time and the only person you’re going to inconvenience is yourself when you’re debugging the game and you have savegame errors. Work on your game instead.
Remember, it only takes one 12-year-old in Finland to write a script to read/write your game files and everybody else can now use that script. Read about Cheat Engine to see more ways you cannot possibly control this.
3 Likes
Although Kurt-dekker is probably correct, the game will be on phones exclusively, as an .APK. Does that matter at all? Also wouldn’t it be smart to atleast maybe obfuscate the encryption in a .dll?
1 Like
APKs are just fancy zip files. There’s nothing to stop anyone from just unpacking them.
2 Likes
Obfuscation is limited almost entirely to just renaming everything (methods, variables, etc). If the game is complex it might slow someone down but it won’t stop them. A number of years ago I decompiled a project with the purpose of fixing a bug that was annoying me. I wasn’t slowed in the slightest and I wasn’t that experienced at the time.
2 Likes
Yes, but doesn’t unity first compile to c++, and only then to native iOS and android? When you unpack an APK it’s all in Java, wouldn’t it be pretty awful to try to get the unity project back from that? I will still just in case add some basic protection. It’s like leaving your house for a long time, someone can always break in, but it’s still helpful if you close your door and windows.
That’s not a good analogy, because in this case you know for sure that someone is going to break in and then leave the doors and windows open for everyone else.
Your focus with leaderboards should be on silently segragating cheaters from legitimate players:
- Don’t try to limit the range of scores that can be submitted. Do your best to accept any score, no matter how ridiculous, so that cheaters end up fighting amongst themselves in the billions and trillions
- Offer the player friends leaderboards rather than global ones
- Show the scores around the player rather than the top ones