koobas.hobune.stream
How to communicate securely with a server
Hello I want to implement Leaderboards in my game. The game will talk to a server running php through an api. My question is, how can i make sure the request came from the game.
I mean the user can look at the network traffic and understand how he can fake requests. Let's say I use ssl and I make a more a token algorithm with salt on the client and check it on the server. The user can decompile the client code (c#), have a look and figure out how to fake the token on his own and where/how to send the requests.
Is there a safe way to do this client-server communication?
There's no super safe way - ultimately if you give enough users the code, and enough of them want to break it, somebody will eventually find a way!
However you can take steps to make that harder - hopefully hard enough that nobody can be bothered hacking your leaderboards :)
Some techniques I've used, or recommended / talked over with other developers:
Write a very simple native plugin with a function on that returns your key
Make the key dependent on something odd in your game - maybe you pass your 'grass' texture into your native plugin, which xors bytes 11 to 93 with a key stored in the plugin and returns it :)
Possibly put some plain text in there: "WeAreASmallCompanyWhoLoveMakingGreatGamesSoPleaseDontBreakAnything"
Consider how you can regularly backup / quickly restore the leader boards and ship patches to change the key in the event that somebody malicious does get a hold of it
Have 7 different keys for different days of the week, just to annoy anybody trying to break them! (again inside the native plugin)
As Bruce Dawson (MS) once said, the only reliable way to avoid a game being cracked is to make a bad game - then nobody will want to crack it! Your best bet is just to make ithe process of doing so annoying enough so people don't want to.
Some games that are leaderboard based send a server a copy of the entire session replay, and the server actually runs the replay in a headless copy of the game and verifies the time that way instead of just trusting that the leaderboard time the client says is valid.
