For offline games that have a leaderboard only for the scores, I’m curious what they do to prevent cheaters if anything? If your score is calculated by 20+ variables, it seems crazy to have to implement server checks for everything.
Is just having a cap on the score and have a daily refreshed leaderboard enough in your experience? I’d want something that I don’t have to maintain. I’ve only implemented leaderboards in game jams and they have been hacked every single time lol.
Offline games don’t have leaderboards as there is typically only one player. Can you elaborate? What 20 variables are you referring to? Generally there is only one variable for the score. Where are you storing the local score for an offline game? PlayerPrefs is easy to implement but easy to hack. But for an offline/single-player game, generally you don’t worry about it.
Spelunky 1/2 and Sonic Generations both beg to differ, as they’re offline games with speedrun leaderboards, for instance.
The answer to this is, unfortunately, two-fold, and neither of them are particularly fun or elegant. First off, what you’ll probably want to do is have some form of sanity check in place. This should usually be more complex than just a cap, but instead be based on something like (depending on how your game works) input tracking (see: Doom 1993’s demo files), player movement tracking (making sure that the player is always moving within the limits of their ability within a certain margin of error), and final time tracking (at least this one’s obvious).
Now, you can’t immediately discard things based on these (unless they fall well outside of the margin of error), and will have to do the dreaded, most effective method of keeping a leaderboard clean: human moderation.
Things that fall outside of the margin of error for those values you set, usually weighted on potential exploit severity, should have the leaderboard results flagged for manual review before being posted to the main leaderboards. If they can be confirmed as accurate, you can have them pushed to the leaderboards actual. I wouldn’t be surprised if some online services have some form of data analysis systems that could make this easier, but that falls outside my wheelhouse.
Interesting, “Spelunky 1/2 and Sonic Generations both beg to differ, as they’re offline games with speedrun leaderboards, for instance” For my understanding, do you mean by manually submitting your score to the (online) speedrun website?
They’re offline games in that they’re singleplayer games with leaderboard options. They’re still submitted online through the game, but the former actually do validation checks while the latter does not. I thought it was pretty clear this is what the OP meant.
Sorry I’m still not following. So these purely offline games have “hard-coded” other users that never update after installation? And you only see your own true score? So why keep anyone from hacking their own game score if you are the only one that is going to see it?
you are playing a single player game. You get a score for the level you played. The score gets sent to an online database where you can compare your score against other players.
Players are not interacting with each other in the game ever. But they compare scores and in order to do that, the game has to interact with the internet somehow.
The term online/offline is causing a hangup. You could argue it either way, but no sense arguing about the meaning of words unless we are all about to start a big project together.
Uh, you’re working in a game engine company, and this is something you’re supposed to know.
A classic arcade approach would be a game with predefined high score values, where player can contribute their score as well. The score is local and is not uploaded anywhere.
A more modern approach is where the score is uploaded online, even when the game is played offline. This can be seen in, for example, Pistol Whip and is common in fighting games.
To be very clear, I’m talking about a completely offline game with zero internet access during live play or otherwise so there is no “contributing”. And you’ve confirmed what I said earlier, there are “hard-coded” high values in such an offline game so we are in agreement. So again, there little need to check for cheating in such a game that is “local and not uploaded anywhere” unless you monetize your game with ads or similar, and the cheat bypasses that logic. You generally only need to check for cheating with an online game that tracks real multiple-user gameplay during live play or after, or playing such an game offline. Then there is a very real need.
This thread is a real face palm job!
I think the original question is about an offline game with (optional) ONLINE leader board.
An online connection is only required to submit and retrieve high scores to compare all users. This really is quite common.
The issue is that you often will see a high score of 5,000,000 when the only realistic high score is 100,000! Because people can cheat, if they can work out how the score is sent and how to send a higher value (assuming there isn’t just a flaw in the gameplay).
So how to beat the cheats?
“I think…” Yes, and likely, agreed. Sorry for being pedantic. The OP mentioned 20 variables needed to calculate score which does not sound realistic. How to beat the cheats depends on the game. Is the user actually getting a high score by cheating in the game, or sending an invalid score over the network using a man-in-the-middle proxy or similar? SSL would help on the latter. Otherwise a simple check would be to check out-of-bounds values that are over a set limit.
You need to monitor (online) more than one gameplay parameter.
If player wants to send high score to online leaderboard, player would be expected to play with internet connection on.
Then game will send to server some values, at various stage of the gameplay.
It doesn’t have to be often. But enough, that server can validate the score.
Possibly sending some additional hash checksums, would reduce probability of cheats.
At least will reduce hacking in, without knowing the source code of the game.
Lots of older games come with pre-populated leaderboards which are run completely locally. If nothing else it gives players goals to aim for, particularly if multiple people play on the same physical system, which is often the case with games played in arcades.
This is exactly the approach we used once when running a high-score based competition for a generally offline game. Sanity checks to discard obvious junk, and recording input. For the fastest times that didn’t get filtered out, we then watched the games manually.
Clearly we wouldn’t do this for an ongoing leaderboard. We did it for a specific event, once. You could of course add extra layers of automation to cut down the number of cases which need human moderation, but you won’t get them to 0, so there would still be some level of ongoing time sink, and even humans may not pick up all forms of cheating.
E.g. if someone writes a bot which plays perfectly, could you visually distinguish it from a near-perfect human player? I am unaware of any distinguishing factor which can not itself be faked, so this becomes a game of cat-and-mouse similar to DRM implementations.
For local leaderboards I wouldn’t care about anything past the sanity check. If people want to cheat and nobody else is impacted, who cares? If the game is connected to other people then one potential solution is to only show leaderboards with friends, or show that by default. That could be more engaging anyway, because seeing that my bestie just smashed my score could encourage me to try again, where seeing 12,475 randos ahead of me just feels arbitrary and insurmountable (especially when I expect a bunch of them are cheating). However, it requires a bunch of infrastructure and pre-existing community, so likely only works on platforms where that exists. (Steam, consoles, and mobile all potentially provide this.)