Now i know what you’re going to say: “It’s useless to fight the pirates, you won’t convert those players to paying customers” and you’re right, but please hear me out.
My game is a fairly popular premium game on both iOS and Android, my players compete for position in the high score leaderboards. There are some IAP for coins and a few premium DLC. Nothing out of the ordinary.
Every time I update the game a cracked version of that update appears online a day or so later.
I’d like to try and detect people using unofficial copies of the game because they create accounts on my Playfab which in turn costs me money as I get near to the 100k pay threshold, they also ruin the experience for others online with their high scores that takes legitimate players a lot longer to get. They also post in our communities asking questions and wasting our time.
Some have an extra splashscreen with 5play.ru on it and seem to tamper with the player prefs. Although I’m not sure how as the saved online data does not match the data shown in game, maybe they’re bypassing it?
So, I’d like to try and detect the cheats and ideally prevent them from creating accounts and accessing the leaderboards.
Does anyone have any idea if this can be done? Or do i just have to leave then to ruin my players experience?
The only way would be for you to get some transaction id from the store and use that in the account creation process.
If something like that exists, then you can secure it against pirated copies making accounts because the ID would exist purely on the store and your server and no part of the process would depends on local app code.
You can get in contact with the support for the store in question (google play) and provide proof that you made it, eventually they will remove it (potentially, a lot of the time from experience they never get back to you or say there is not sufficient evidence).
This is a very common thing in the mobile industry and a good reason why I no longer take any part in the mobile side of games. There is no silver bullet for dealing with this, its just you have to put lots of time and effort into getting them taken down. You should ask if its actually worth it or not, if it is - expect to spend a lot of time as more versions will come up as the old ones get taken down.
Apparently they finally added functionality to Application.genuine for Android in 2020.2.0a15 but I don’t think it does more than check the package name it was first build with.
Another option would be to check for the signature of the app, and make sure it wasnt re-signed.
Also wonder if you use IL2CPP, just having no assemblies comes with allot of obfuscation.
But of course all these checks are just another barrier that can also be removed if they want to enough. Just have to make it not worth it for them for the size/type of userbase you have.
The only safe way offcourse is do every confirmation online and just use the app as a client, but that gets really difficult for f2p.
(I only have experience with reverse engineering on PC, but I guess Android uses the same principles…)
A quick and easy solution might be the Anti-Cheat Toolkit.
Save your PlayerPrefs obscured/encrpyted, use obscured data types for important variables like money/coins and use the code hash generator to check if any code was altered.
You also should consider using an Obfuscator, this one has IL2CPP support.
IL2CPP itself is only slightly more protected than Mono. It still comes with metadata that contains all names for classes, methods and fields. All of this (except classes, iirc support for them is experimental) can be obfuscated with the asset I’ve linked above.
You might have to adjust all of your scripts to make it fully compatible with your project though, this mostly depends on your current project design. You can’t call obfuscated methods from (Button-/UI-)events inside the editor for example. You either have to skip the obfuscation for the method you want to call, or you assign it explicitly inside a script.
If you already published builds without obfuscation, also keep in mind that obfuscating builds now is a lot less effective. People can use the old build and compare it to a new, obfuscated one with some special tools. Stuff that is obfuscated now but wasn’t before will be found.
Of course all of this won’t make your game uncrackable, but if you use both assets together properly it will be a lot more annoying to alter.
Besides that… I have no idea how Playfab works, as we always used our own backend. But if you can, add as many sanity checks as possible. If someone has a ton of coins without ever paying a single cent it’s really obvious that he is cheating for example. You can simply auto-ban such players and remove them from the leaderboards.
I’ve just implemented obscured player prefs using anti cheat toolkit. The dev was very helpful on Discord.
I will continue to look into your other suggestions. What I’d really like to happen is to detect a cheat/pirate and quietly not show the account login/creation process at all, allowing them to enjoy an offline experience where they can’t ruin legitimate players games.
Well, i spent a fair amount of time investigating this and I only obscured my playerprefs data as I didn’t have the luxury of time and also the risk of breaking things had me worried.
Anyway I released an update yesterday and it’s already available on 2 sites. Shame really, it’s pretty off putting knowing these guys are doing this
Welcome to the state of the mobile games market Its either deal with the pain that is android development and everything that comes with it such as apk theft as you are experiencing, or the pain that comes with dealing with apple
Try to see the positives, you are successful enough for people to spend their time doing this - you are not really losing users as anyone who will install an off market pirated APK, were probably never going to convert to real users of your game anyway
Ignore it and focus on the playerbase you have rather than the black market playerbase you could have and you will be just fine
Thanks. You’re right but i only wanted to prevent the pirates accessing the online part of the game and spoiling it for the legit players, i know i would never convert them into paying customers but nevermind. As you say, im flattered they’re bothering to pirate it.
Or decide that you can live without online functionality in your games. Mobile development is already bad enough with oddities like every device having a different screen resolution that I wouldn’t want to have an online presence that I have to stop from being hacked.
Its either deal with the pain that is android development and everything that comes with it such as apk theft as you are experiencing, or the pain that comes with dealing with apple 
