Secure data server

Hello,

I am setting up a backup system to leaderboard scores via a mysql bdd on a server.

  1. I wanted to code this in c # directly in my app, but it is apparently possible for a user to decompile the app and have access to the files of the games and therefore see id, mdp, login name to my db.

  2. After searching, I am advised to create a php file on my server and call this file from the c # script as well, this php file will contain the id, mdp, login name to my bdd and the users will not see them not by analyzing my code.

The id, mdp and name of the server sound safe perfect,
Only when I communicate with my php file I have to send the scores to register, and here is my problem, how to secure the data sent from my c # script to my php?
As a reverse blow enginering and the user will modify the sent score.

Seeing the problem more widely is it possible to make sure that users do not have direct access to my app’s files?
I was able to see that some person used the Obfuscation, in order to make their code illegible from the outside.
Only the Obfuscation is apparently not totally on (possibility of “defusing”) and this can cause app performance problems and make it bug.

I would like your opinion on it.
Thank you

I only have experiences with similar setups in non-game contexts, but if it was a desktop application communicating with a backend over HTTP(assuming that from your mention of PHP), the standard approach would be encrypting the data with SSL.

Obfuscating should not be used as the only protection against hacking attempt for sensitive data, by the way.

1 Like

TY for this answer,
You answer half of my question.

I never used SSL before but i think its encrypt tube to secure network, the user cant got the value on transit right?
So use SSL to keep safe data on transit state will secure.

Last point is how to protect the value got from my game and send to the server at the script time:

"User open my c# send file to server, see ok he send 2 values, first: “name” and second: “score”, i will change the value score to 999999 just before sending data and server will accept it.

How secure and resolve this?

The easiest way, is to simply call a PHP Script with no value, then have the PHP Script have an initial value such as flameThrowerDamage = 5;

Then use that value inside the PHP Script to do the stuff you want on the backend.

This way the client never has access to the value whatsoever.

But in terms of Score, the client should still not have access to this. Make the SERVER keep track of this stuff, and then send that value to the database.

1 Like

Having a “secure” leaderboard is actually incredibly complicated. You can’t trust the client for anything. So if the game calculates the score and then sends it to the server, you’re screwed. Someone is going to hack that.

To make it secure, you have to do the score calculating on the server. Which means the entire game has to play on the server, and the Unity game has to just show the game and send the commands to the server so that the server can do the work.

This is obviously horrible for performance and you’ll have to have a beefy server to run all those simultaneous games on it.

Instead, most people settle for “mostly secure” and do everything they can think of to make it hard to hack the server. To that end, tons of encryption, all database connections are done from the server, etc. You’re still trusting the game to send valid scores, but you can do things like send a lot of other data along with it to check to see if the score makes sense. How many jumps? How long did they play? How many widgets did they pick up? Etc.

If it’s your first game, I’d say just write the server-side script to take the score and user’s name and call it a day. Someone will hack it, but whatever. Focus on making your game the best it can be, and worry about server security later. This is a headache that will be less painful if you do it on your next game instead.

3 Likes

I would suggest keeping the score data save in your client.
For example you can use the below asset to protect variables from tempering.

and also secure the data on de server: This asset a friend of me used. Good documentation (Also in sources) and easy to expand with own functionality.

@SmartMediaNL That is not secure. Nothing on the client can ever be trusted. What you’re proposing is not a secure method to storing Scoreboard data on a backend server. Granted it may make things more annoying to the hacker. But if someone wants to hack the data - they will do it.

The only safe secure way to make data unhackable is to make an external server keep track of all data and do what needs to be done. That is plainly the only way

#EDIT
Now this isn’t to say Anti-Cheat Toolkit don’t work, it may very well make things very aggrivating to hackers, but it’s not 100% fool proof.

Nothing in live is Secure. Even big companies get hacked and on the server side no less. Endless examples in the news.
Even Blizzard and other big companies have a hard time fighting cheaters.
At least making it a bit harder to mess around will prevent most problems.
The only save way is not to have a scoreboard.

Thats because they find weak points in the way the system is implemented, or they poorly and lazily designed the front end stuff on the game its self.

Everything is hackable, not going to say it’s unhackable.
But using the client as the trusted person for anything, will not be protected by even a somewhat beginner hacker.

This reminds me of when I tried implementing a high score system that pushes the player’s score from the client through a php → MySQL interface. My own free QA help hacked it in no time just for fun (I just asked him to do some play testing more for game balance purposes). Was hilarious when I first noticed the 99999999999999 top high score on the server. The guy just captured the php http call, figured out how it worked, and would just generate his own high scores outside of the game.

After experimenting with some ideas to protect it I decided there really wasn’t a good way to do it securely from a single player game, as the guy could just use one of the readily available script kiddie game hacking tools to just change his score anyway, which the game would then push no matter how secure that connection to the high score system was. I ended up just dropping the feature shortly before shipping the game unfortunately.

1 Like

Really TY guys, you helped me alot.
I understand i cant totaly secure the data of my game but i can make it really difiicult for the hacker, and i can decrease the impact of the damage from the hacking

this:
“but you can do things like send a lot of other data along with it to check to see if the score makes sense. How many jumps? How long did they play? How many widgets did they pick up? Etc.”

from “wccrawford” gives me the guideline to move forward and give me some idea to limit the impact of hacking on data result.

1)What about Obfuscation, you use it? its useless?

2)After this discussion i have another question on mind: How big games with tons of datas send to server can be secure? with: in app purchase, scoreboad…?
they have a solution for this, because people dont want to paid for content if the data can be hacked and modify.

It depends on your definition of “useless”. Obfuscation will prevent some hackers from hacking it, which means you have less crap to deal with. Likewise for using security keys, and checking against the things I mentioned before. In the end, you can make it so painful for them to hack that most of them won’t even bother trying, and few will succeed.

However, all that time you’re spending on that is time you aren’t spending making your game better. There’s a balance to be had somewhere there, but nobody can tell you where it is except you.