Is it possible to create a secure leaderboard?

I'm using PlayFab to have a leaderboard for my game that players can access when they play the game. Is this secure enough?

What are your requirements to consider it "secure enough"?

Generally speaking, there is no bulletproof way to stop people from either a) hacking your game client and then using it to submit cheated scores or b) creating something that pretends to be your game and doing the same. Everything your game uses to identify itself is shipped with your game or made available to a player's device at some point, so it can be intercepted and copied.

So, since being bulletproof isn't really an option, what are your goals? Eg: "I want to minimise the chances of hackers damaging the game's economy".

Also, knowing what type of game you're making would be a help. ;)

[quote=“angrypenguin”, post:2, topic: 858204]
What are your requirements to consider it “secure enough”?

Generally speaking, there is no bulletproof way to stop people from either a) hacking your game client and then using it to submit cheated scores or b) creating something that pretends to be your game and doing the same. Everything your game uses to identify itself is shipped with your game or made available to a player’s device at some point, so it can be intercepted and copied.

So, since being bulletproof isn’t really an option, what are your goals? Eg: “I want to minimise the chances of hackers damaging the game’s economy”.

Also, knowing what type of game you’re making would be a help. :wink:
[/quote]
Its a sidescroll style game, and there’s leaderboards that can rank you based on points, style points, or other acheivements.

I guess there’s no way to 100% prevent hacking, I was just wondering if what PlayFab has to offer in terms of security is good enough or if I need something else, because when you enable leaderboards to have a user send their score over, a warning that says “Enabling this feature may allow clients to cheat.” pops up.

If you're using a 3rd party leaderboard, most likely your game itself is less secure than the leaderboard. If a player can hack the game to give themselves a ridiculous amount of points, that will be sent by the game to the leaderboard as if it is a legitimate score.

1 Like

Yes and no. It’s not that you need something else but that you need something more. You need to secure your game against people who will modify it and the memory it uses to cheat. There are assets on the store like Anti-Cheat Toolkit and Obfuscator that can help with most of this.

https://assetstore.unity.com/packages/tools/utilities/anti-cheat-toolkit-2021-202695
https://assetstore.unity.com/packages/tools/utilities/obfuscator-48919

Beyond that the only other thing left would be to pass code to PlayFab that verifies if the score being passed to the leaderboard can be achieved before posting it. This requires understanding exactly how much score a person can obtain given a level and a period of time.

1 Like

If your game is producing score values in the player’s devices, then sending it to the server, there’s no way the leaderboard can be made truly secure, because everything a player needs to write whatever value they want into the leaderboard is inside the game which they can eventually hack their way into. Your game client is the weakest link on this chain, always.

The only way to produce a somewhat secure leaderboard is if your game runs its logic entirely in a dedicated server, which is overkill for a single player 2D sidescroller.

There are ways to limit the damage:

  • Avoid permanent global leaderboards, so hacked scores eventually disappear when the board resets.
  • Prefer/focus on friends leaderboards.

A more complex solution is having a server calculate the score based on data recorded during the gameplay session. This depends entirely on your game design and how complicated you can afford to make it to be. For example, if the game involves collecting items or killing enemies to gain points, it can generate a list of time stamps of each one of those events, and the server can use that to calculate the score while checking for impossible values.

3 Likes

Are you running comps for money? Do you want to show just friend scores? Do you want people to compete for global #1? You’d take a different approach for each.

1 Like

[quote=“Ryiah”, post:5, topic: 858204]
Yes and no. It’s not that you need something else but that you need something more. You need to secure your game against people who will modify it and the memory it uses to cheat. There are assets on the store like Anti-Cheat Toolkit and Obfuscator that can help with most of this.

https://assetstore.unity.com/packages/tools/utilities/anti-cheat-toolkit-2021-202695
https://assetstore.unity.com/packages/tools/utilities/obfuscator-48919

Beyond that the only other thing left would be to pass code to PlayFab that verifies if the score being passed to the leaderboard can be achieved before posting it. This requires understanding exactly how much score a person can obtain given a level and a period of time.
[/quote]
This sounds great, thank you

[quote=“Neto_Kokku”, post:6, topic: 858204]
If your game is producing score values in the player’s devices, then sending it to the server, there’s no way the leaderboard can be made truly secure, because everything a player needs to write whatever value they want into the leaderboard is inside the game which they can eventually hack their way into. Your game client is the weakest link on this chain, always.

The only way to produce a somewhat secure leaderboard is if your game runs its logic entirely in a dedicated server, which is overkill for a single player 2D sidescroller.

There are ways to limit the damage:

  • Avoid permanent global leaderboards, so hacked scores eventually disappear when the board resets.
  • Prefer/focus on friends leaderboards.

A more complex solution is having a server calculate the score based on data recorded during the gameplay session. This depends entirely on your game design and how complicated you can afford to make it to be. For example, if the game involves collecting items or killing enemies to gain points, it can generate a list of time stamps of each one of those events, and the server can use that to calculate the score while checking for impossible values.
[/quote]
So I could set a timestamp on stuff? That works
[quote=“angrypenguin”, post:7, topic: 858204]
Are you running comps for money? Do you want to show just friend scores? Do you want people to compete for global #1? You’d take a different approach for each.
[/quote]
The latter two.