Hey I was thinking of just rolling my own simple ranking system where I use php and a mysql database on my webserver. So I’d basically just want to submit some type of “score” along with that players “id” and add it to the ranks, and also be able to retrieve what the player’s rank in comparison to the rest of the database scores.
I’m not really asking how to set all this up, but simply, what are the tricks to making sure nobody can spoof it? I mean if someone could see what data I’m posting, they could just spoof it with a better score obviously.
You can’t make it foolproof. If someone is determined they can always reverse engineer it. The two main tools people will use is a packet analyser and decompilation tools. Between the two if someone is determined they can certainly figure out what you are doing and emulate a fake message that your server will accept. That being said you can stop all but the most determined people with a few things. These will also at least slow down the most determined.
Make sure to capture timestamp and IP address in your DB as well that way you have easy ways to detect fakes and also can ban by IP address if it becomes necessary.
Try and eliminate rapid fire requests. Make it so the same IP/username can only submit every X seconds.
Think about your game style and if you can do further checking on the score that makes sense. How long realistically would it take for someone to get a high score? Often the answer is minutes so try and send game playing time along with the score and discard those that don’t make sense (i.e. someone got a high score in 10 seconds isn’t real)
Try to not just send the data on game end. Someone who analyses the message can certainly fake for example that the game ended in x seconds. Doing this accross multiple messages with timestamps will make this harder to fake (they’d have to make sure to send multiple messages at time intervals.
Also, if your game is good it will inevitably happen at some point. Treat it as a compliment that someone is willing to cheat and adapt to their schemes and ban the IP. Other’s have also mentioned if it becomes a problem to not try and give feedback to the cheater (send him a fake leaderboard). Other’s have mentioned making up a special cheaterboard so that all know who is cheating. There are many approaches to this problem. You’ll also note that I haven’t mentioned encryption because the decompilation piece the attacker can figure out what certificates are being used, secret keys, or analyse the trickiness that you are doing more than in other disiplines (where you are trying to figure it out just by the network traffic).
Implement a few of these and you’ll be fine for a good long while but certainly adapt if you find a few people getting through. Below are other threads that will give you more ideas as well.
Yeah sorry that could have been more clear. Basically the idea is to try one of two things.
Try and fool the cheater into thinking he’s succeeded. Make up a fake leaderboard to send to the flagged cheater so he sees his name up top. In reality he’s been flagged and non cheaters see the scores with just legitimate scores. Basically its giving him false feedback so he stops trying to break you next trickery.
Instead of the never ending game of I’ve cracked your latest scheme you could put his name up in lights but in a bad light. Flagged cheaters would get mentioned in a cheater leaderboard for everyone to see and note they are cheaters. This would let everyone else know to disregard anyone by that username. This might anger the cheater and get him to stop.
Of the two approaches (and these are only if easier methods have not worked) the first one is in my opinion more prudent. Especially if your game is monetized by ads. Cheaters by definition are likely to enjoy your game. You get your cake and eat it too if they keep playing and earning you ad revenue but yet don’t discourage other players. Obviously this all depends on what type of hacker you have on your hands.
I thought my leaderboards got hacked because of decompilation. Wasnt the case, they simply figured out that the score wasnt embedded in the md5 hash, which was more luck than anything I guess. I could tell the dodgy scores based on the time attached to them.
Seemed only one person got excited enough to do it, I kept on top of his hacked scores (which were pretty obvious) by deleting them. He got bored of going through the process of re-downloading my game just to get a new system id.
I also re-submit the players best score everytime the game starts, so unless they can hack the PlayerPrefs (not sure this is even possible), any ‘hack’ score wont last long.
As for all this other stuff about cheaters boards, etc, I wouldnt waste my time unless it becomes a problem. You can always flag a user as dodgy and ignore any score of there’s returned for your main leaderboard as well.
+1 for this (do the same in my game). Resubmitting also helps if anything bad happens to your DB (obviously you should have backups). But even if something disastrous were to occur you essentially have a distributed backup on all the clients that he/she will resubmit the next time he plays even if the DB was unrecoverable. Also, what if the player was offline when he got the highscore? It’s nice to be able to see your name up in lights the next time you connect to the internet and play.
PlayerPrefs, is definately hackable though it’s just storage (registry on windows, xml file on android, plist on IOS, etc) in fact if you aren’t obfuscating it at all it doesn’t even need a hack just change the values on the file. On windows you don’t need anything special, on mobile you just need a rooted phone and that’s all. Any aspect of the client isn’t to be trusted including playerprefs but obviously you still have all the server side tools you can use and if you banned their IP the resubmission won’t do anything.