Ban Players from my game

Hi, I know it has been a while, but we recently came across this issue when players started using Lucky Patcher (or similar softwares) to get free IAP from our game. Fortunately we had implemented enough features on our side to be able to identify these players. One thing to know is that we are a very small studio so we don't have the resources to automate this at a great scale like Supercell games, Fortnite, etc. I will not go into code details.

• First, you need a way to authenticate players. If you are relying on a local file that saves all the game stats to your player's device, you may be out of luck. You definitely need a remote way in which you access the player's details (we are talking player details inside the game, not real information) Ourselves we went for Google Firebase which has several authentication methods, we went for email auth. You can choose any other type of Database (Mongo DB, Amazon AWS, Google Firebase, etc)

• Once your game requires authentication, any time someone starts it for the first time you need to handle creating a new user in your database either as a Guest or using their email. Once the user has been created, push everything you want to store like XP, health, coins, and everything that you consider should be managed online instead of local. Of course you need to implement saving the stats to the DB every time the player closes the game or put the game in the background, and loading them back when the game is opened or on focus.

• Now that you have the information online and the save and load features, you can start experimenting saving other type of metadata. For example, in our case we decided to save the following data when an IAP was made: user ID (from the authentication), date in which the IAP was made, type of IAP (bundle, gems, pass, etc), and the cost of that IAP.

• So now we have a list of IAP that were made, and we can see what player made it (again, not real name or any other real life information) At this point is a matter of inspecting the leaderboards and the IAP list. We had a case in which a player jumped several positions on the Leaderboard in a matter of minutes. Upon checking the IAP list, we discovered that almost 900 dollars were spent by that player in 1 minute. Unfortunately it can take some time for both the Playstore and the AppStore to expose the recent IAPs, so we had to wait 2 days for the AppStore Connect and Playstore Developer Console to show us the latest revenue from recent IAPs.

• It gets tricky to identify the IAPs and match them to the player, since AppStore and Playstore don't register the Player's authentication ID with the purchase, but instead display a real Address, a Date and the Amount spent.

• Our way of matching the IAP to the player was to check the date in which it was made. Thankfully this method seems to work on UTC time to the day, hours, minutes and seconds, so it was quite easy to match purchases by date and amount. Basically if there was a purchase made at April 10, 13:02:12 registered on our database, we would go to the Dev Console and compare the dates and the amount. If there was no existing IAP, that meant that the player has hacked it and didn't pay real money for it.

• At this point you can take a decision on what to do with the player. You have their auth ID, so you can see how many coins, gems, xp, etc. It gets tricky again on what to do. If the items bought are consumables, you may not be able to take them away if the player already consumed them. If it was a subscription or non consumable, you may be able to turn it off remotely. If you have in-app messaging or remote notifications, you may be able to warn the player and let them know that something suspicious was found on their account. You could have an entry on the database for banned players, and set a banning time (for example 3 days). Once they start the game and retrieve their stats from the online DB, if the banning time is still up, bring a blocking screen on the UI saying that the banning is still on going and the time remaining. You need to be sure to compare the banning time with an online method, otherwise the player could change their system's date and cheat the banning time.

• In our case, we decided to send an email if the user had registered their email. We ask them to send their purchase confirmation number to verify the transaction. Not a single player we caught this way has replied with a confirmation number, and most of them reply with rude comments and threatening to give a 1 star review, or even saying that the game is not even worthy of using hacks. So we go ahead and delete their entry from our Database after several days of giving them the chance to verify their purchase.

As you can see it takes a lot of effort to develop this kind of security, but once it is built you can ensure your players a fair game and kick out cheaters in a fairly easy and quick way.

I can provide code examples from Unity C# and Firebase if you are interested. Our game on the AppStore and Playstore is Tales of Argento if you are curious!

One way to do it would be to keep a database/list of strings that contains each banned account name. As part of your authentication progress, you reject them if they exist in the database/list of account names. If you want another mechanism for identifying an account, swap out the account name with whatever else you record about the user, like a hashed email or other uniquely identifiable data.