- Home /
How Secure is the Server Side High Scores script?
Hello everyone,
The script i am talking about is the well known sever side high score script on the unity wiki http://wiki.unity3d.com/index.php?title=Server_Side_Highscores
I am using the script for an android game but I am worried about people being able to decompile the script and be able to see the "private key". Is this a legit worry? How do other companies do it?
Thank you.
Answer by Suddoha · Feb 19, 2017 at 02:50 AM
People can decompile the game and read the key, indeed. And that's not a big deal at all. Once the key is known, one can send any name and score plus the known key, hashed with the exact algorithm which is used in your script, as if you didn't have a "secrect key" at all. The server would never recognize that unless you implemented more logic to attempt filtering wrong submits, e.g. extreme scores etc.
The thing is, everything that is done on the client side can be manipulated. The only thing you can do is try to implement certain barriers in order to stop people from trying to cheat. But that's usually not easy and often not worth it. Companies have invested much money and a lot of time to find solutions, in the end, as you may know, almost everything that needs to be bullet proof has some kind of connection to a server which handles critical portions of the applications logic.
Hmm... So any ideas what i can do to make the key more secure? The game is android/ios only would should make it more difficult. Is there anyway i could encrypt the key? How do big companies like supercell manage it?
If you encrypt the key, you'd either put the encrypted key into the file (which again could be read out and used) or you'd request a key from a server, use an algorithm and hash with it. But then the algorithm could be seen, so you would've won nothing at all.
If you start a SuperCell game, you usually connect to a server. Without a connection you cannot play, or at least you're not able to change anything that would update your game state.
Everything you attempt to do there, let's say in CoC, will be sent to a server. Afaik they're using AWS (Amazon Web Services) to handle the massive player base. Server-sided logic would then evaluate the commands, check whether the action is legit in the given context and with the current game state. Finally, it updates the database.
While this happens, the application can locally predict the result in order to provide immediate feedback to the user. As if there wasn't any delay for server-side evaluation etc.
Thank you for your insight. $$anonymous$$y game is an endless runner type game so it would hard to implement such a idea. Unless i wanted to do the whole physics sim on the server side which does not sound fun.
Answer by benaldo · Sep 18, 2018 at 04:46 PM
You can implement an asymmetric encryption algorithm and key exchange style solution.
Where the server keeps a permanent keypair, and the client also generates a personal keypair.
Then you use the keypairs to implement a Diffie-Hellman key exchange and use that exchange to authenticate a symmetric key for most of the communications. (Symmetric is less overhead than asymmetric)
But this is only hardening, and will not stop a truly determined hacker from getting what they want... But if your server handles and authenticates the scoreboard updates as best it can, you can hide the secure stuff behind an API.