Browser and mobile games commonly have global highscore tables. It's also common for those tables to contain scores of 2,147,483,647 — where people have figured out the webservice call that reports scores and used it to record a fictitious score.
For simple puzzle games, we can defend against this by including a record of every move the player made (and any random seeds used to generate the level) with the score-reporting call. The entire game can then be reproduced and verified on the server.
However, this quickly becomes infeasible for anything larger than Pac-man.
How else can cheating of this kind be prevented?
Answer
The internal system we used for Moblox (later replaced with OpenFeint) worked like this:
- Send a JSON message over plain HTTP (not HTTPS). Include a MD5-hash of all fields plus a magic string.
- On the server, check the integrity of the message with the same operation.
To crack the system, you'd have to find this magic string. It is possible with reverse engineering, but painful.
OpenFeint, ScoreLoop and CocosLive all use the same trick, but with HTTPS. Very easy to implement.
No comments:
Post a Comment