How do I prevent data manipulation (e.g. Highscore)

0 favourites
  • 3 posts
From the Asset Store
Data+ is the best Data Management solution for Construct 3. It contains 4 Addons (Plugin & Behavior).
  • Hey gamedevs!

    I'm a little bit confused regarding security, encryption, hashing and stuff

    We at 25games wanna create games where the player can submit a highscore to our database via AJAX requests.

    We already use hashing to make sure that the attacker can't simply perform a submit.php - POST

    But how to prevent the attacker from changing the game's state during play?

    • Let's say the attacker starts a new game: Score = 0
    • Then he plays a little bit and earns some points: Score = 200, Score = 400, Score = 600
    • While he is playing he observes the values of the game and compares which one has changed from 0 to 200 to 400 to 600.
    • Now when he found the candidate he could easily change the score to 1.000.000 (or can't he do this?)
    • Lastly he dies and the score of 1.000.000 is transmitted to our database

    What can I do to prevent attackers from manipulating the local state of the game?

    Thanks for your answers and have a beautiful day

  • You can keep your score hashed at all times. Check if the hash is correct before adding points or submitting the score.

    Or keep track of the score in 2 different variables - one in clear form and another in some encrypted/obscure format. (Multiplied by 3.14, converted to text, written backwards etc.)

    Display the clear variable in your game and don't check its integrity, allow the hacker to change it. But when it's time to submit the highscore, de-crypt the other variable and upload it.

    Unfortunately, there is no 100% protection from an experienced and determined hacker, all these tricks will only make his job a little bit harder.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • You can keep your score hashed at all times. Check if the hash is correct before adding points or submitting the score.

    Oh yes! Good point, I'll try that.

    Thanks

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)