Preventing fake score submissions

Hi Everyone!

I’m creating a game which is a simple 2D side scroller with a high-score being posted to a MySQL instance on a server I’ve hosted.

The means of posting and retrieving this score is very simple using a WWWForm posting data to a PHP page which then processes the results to the backend. That’s all very nice. However, it occurs to me that anyone can also just as easily forge an HTML web form on their own and post their own high score, if they want to. (In fact, I just succeeded doing that in less than 5 minutes.) What could be done to stop this from happening?

When it comes to HTML form posting security, I’m only aware of the captcha, which in this case, is not applicable.

A few things I can think of right now but none of them are great:

  1. Don’t use the HTTP POST, and find another method that is less common / easy. (But what would that be? and how much work is it to implement?)
  2. Embed a hidden form field to my post data with a secret phrase for validation ( but is that too easy? What if I want to publish my code on Git? )
  3. Add something from the game Resources that isn’t easily faked (but can users somehow download my game and unpack everything to find it?)

Cheers!

I probably wouldn’t worry too much about it. You could look into other systems that support scores e.g. Social.ReportScore(). Or maybe just a md5 checksum would be enough but anything running on the client isn’t too hard to hack. The only safe solution is to run everything on the server but that’s not really practical in most cases.

1 Like

If you’re concerned about the user ‘hacking your save files,’ or ‘hacking your high score chart’ or ‘cheating in your game,’ which is playing on their computer, just don’t be.

There’s nothing you can do about it. Nothing is secure, it is not your computer, it is the user’s computer.

If it must be secure, store it on your own server and have the user connect to download it.

If it must have secure user authentication, use Apple login or Google login. Nothing else is worth it.

Anything else is a waste of your time and the only person you’re going to inconvenience is yourself when you’re debugging the game and you have savegame errors. Work on your game instead.

Remember, it only takes one 12-year-old in Finland to write a script to read/write your game files and everybody else can now use that script. Read about Cheat Engine to see more ways you cannot possibly control this.

NOTE: if you begin a response with “So you’re saying that…”, then you haven’t read the above. Go back and read it.

1 Like

You can’t.

The only way to have a uncheatable leader board is to have a completely server authoritative game. This way there’s no client submission of score.

Alternatively, a very easy way to prevent cheating is to make sure no one play your game. Statistically speaking, this is what’s likely to happen regardless of what you do. Sound mean but it is the reality of it. Don’t worry about cheating unless it is a real problem.

1 Like

Thanks, I will keep that in mind and not kill myself over it. :slight_smile: Just wanted to get a sense of the landscape nowadays and guess the war on hackers hasn’t changed much!

A trick you can use for this is to only show scores from other users from the player’s Steam friend list, or whatever friend list or other social features the platform you are shipping on has. Then you get the value of having a leaderboard without really having to care about people cheating - most users won’t see cheated scores, and if they do, they know the person who’s cheating and can tell them off.

4 Likes

That’s a great suggestion! Thanks so much! It’s much more meaningful that way and we usually just care how much we beat our friends scores anyway :smiley:

I know this is already “solved”, but just to add an actual example of a game that validates player’s scores:

The game PolyTrack by Kodub marks scores (which are race times) as “unverified” until the server verifies them itself. Since it stores frame-by-frame replays with input, I’m guessing it verifies them by replaying the player’s input on the server and seeing if the times match.

Though, the basic idea here is to have the client upload some type of proof alongside the score that the server or other players can verify, not just the score alone. And since the server requires proof alongside the score, if the client decides not to send proof, then the server doesn’t take the score.

1 Like

Thanks for the response! :slight_smile: Yes, I’d thought about a rudimentary way of verifying the score - since my game is extremely simple and scoring is also easy to validate. However it is also very easy to get a score of infinity in the hands of a skilled player / programmer, marking down precise moves.

And the required skills for me to be able to build a validator around the game that I just learned to create is on a whole different magnitude of difficulty. I’d love to, but … time and resources really.

Here’s my completed game for now, I’ve added it to the Showcase - It’s really just a practice for me, as I have other ideas for something a bit more than a Flappy bird clone. :stuck_out_tongue:

1 Like