I'm finding lately how unsecure Javascript is when programming a game (I'm trying to do a turn based RPG and currently the battle calculations are done through Javascript which any player can cheat with of course giving themselves as much XP as they want), so I'm wondering if I were to move my battle screen to flash if this would be any more secure, or is there just as easy of a way to cheat this?
Come on. It's the same question really. Answer remains the same too:
No matter what the game, whether JS Flash or native binary, if the scoring system is vulnerable, people will tamper if the game is good enough. Stick to clever serverside every time.
This is not a problem that can be solved by obfuscation at the client end. There's plenty of prior art concerning keeping high-score tables/game data secure. Sharpen your google-fu and have a look.
Although the title of this post would suggest it's not applicable, I'd consider the difference between a browser/non-browser game to be irrelevant in this regard. As such, take a look:
Secure Online Highscore Lists for Non-Web Games
This is very slightly safer as flash source is harder to read then js source. However neither is particularly safe.
As I said in a previous answer, a secure system can not trust client score input. It doesn't matter whether the intended program is Flash or JavaScript. Once you send the program to the client they have any required key. So you can't rely on the client giving you accurate scores. The only reliable way to do it is to move score calculation to the server. Then, for a bot to play it still would have to calculate every movement manually.
Related
I'm creating a game site and when a player has finished playing the game, I want the site to update the score to a database. Now my only problem is, the player can easily cheat their score by using javascript methods/code in the browser. How can I do this?
The player can easily cheat their score by using javascript methods/code in the browser.
Obfuscation: If your goal is to prevent it from happening easily, you can obfuscate your JavaScript code. Edit: After reading #mickmackusa's link, IIFE's are a quick way to achieve what you're looking for.
Signatures: If your goal is to prevent it from happening ever, you should consider using a verifiable signature or hash. The more JS-heavy the app, the harder this can get. For example, if the signature is generated client-side via pure JavaScript, your code would still leak everything an attacker would need to fake the signature. The accepted design is to move the private components server-side where they can be protected.
Obfuscation is quite effective so as long as the burden of deobfuscating is far greater greater than the rewards (or risks) associated with an attacker figuring it out.
I have used this html5 Snake game on my website , but problem is that it can be hacked so easily .
http://cssdeck.com/labs/classic-snake-game-with-html5-canvas
Hackers can inject scores and submit their own scores.
Is there anyway to protect score variable inside the script not to be injected by clients ?
Not as long as the game is implemented entirely on the client side. The "solution" is to implement the game rules and storage on the server side, and have the client be mostly UI, but this might be overkill for such a simple browser game.
You could make it harder by obfuscating the code, but that would only stop people who don't actually care.
If the game is deterministic you could keep a log of all game "events" and send that to the server, where the score would be calculated. This would make it more work to fake a score, but it would still be possible to fake, and it would also be a lot of work to build such a system.
I have been requested to make a port of an iOS game for Facebook.
The game itself is fairly simple, it is a puzzle game using a 2d array for a grid with XML passed from a server for loading objects onto the the grid, to create levels.
The game will ask questions at stages which will be passed to my server and stored for research purposes.
Some questions for those with experience.
What front-end options do I have with Facebook?
I have looked into both Flash and HTML5/js both of which i have little to no experience in (I'm experienced in Java/C#/Ruby + Rails).
Javascript seems like a nightmare from what I have read, even looking into javascript game engines, but at least it is free.
My backend will most likely be rails for handling server logic.
Summary(because I ramble too much)
-Is javascript for programming games really a problem for simple games on Facebook?
-Are js game engines worth using? Does anyone have any experience with them?
-Would prevention of cheating be possible with a js/rails game, do server side checks work?
-Are there any alternatives for a front end for someone with C#/Java/Ruby background?
I've never seen any Unity or Java apps on Facebook(I don't use it much) and I don't know if the licensing will be an issue for this research project.
Any input from those experienced would be greatly appreciated, I feel a bit lost with all the potential options.
Answers to the summary
-No, it is not a problem.
It brings with it certain challenges that will need to be understood, but it is a mature platform with loads of online documentation
-Definitely, but maybe not even necessary. It doesn't sound like your game is that complex, so you can probably feel comfortable trying any engine and seeing where it takes you. You may be more in need of data frameworks to deal with synchronization and management of state. I can't really recommend much without knowing more.
-Yep, preventing cheating is definitely possible. If banks can prevent arbitrary money exchange or invalid transactions, you can prevent cheating in a facebook game. You'll have to validate a lot on the server side, but that's par for the course.
-Besides flash, no. It's a javascript world out there. Flash has a lot of potential for serious games in the future, but if I were new to both I would probably bet more on JavaScript for the various other benefits it brings to the table (general web interaction, server side programming, etc)
If you are unconvinced of what JavaScript is capable of, head over to a site like chrome experiments to see what people are squeezing out of browsers nowadays.
I'm currently developing a game using JavaScript/JQuery. It's a simple brick breaker type of game keeping score, levels etc. I'm planning on implementing a leader board that users can submit their final score to. The only problem I see with this is users manipulating the score using developer tools on most browsers. I understand that keeping things server side will resolve most of these issues, however if there is a high volume of users, it will hit my server hard with requests. Cookies - Easily changed client side. I'm honestly out of logical ideas to promote fair game play because there is ALWAYS people who seek to cheat/become top of the leader board. With that said, what's an efficient and effective way to keep track of the user's score without giving them access to changing it?
Make the page submit a complete replay of the game rather than just the final score. Given the random seed and a frame by frame record of user inputs, your server should be able to simulate and reconstruct the game and verify the score.
Obviously the replay can be faked too, but it would amount to so much work (actually playing the game and actually getting a good score, albeit with the unfair advantage of AI assistance, slowing down and other client hacks) that tool-assisted scores should deserve to be in the leaderboard.
Obfuscate their score by creating an equation that can only be calculated on the server side.
Edit: RobG is correct in that it will need to be calculated on the client side.
I hacked the Angry Birds game when it launched on chrome:
http://wesbos.com/all-levels-html5-angry-birds/
However, they have since obfuscated the code so much that its impossible to figure out which function calculates the hash..
You can't guarantee no cheating, it's impossible. The server responds to requests, that's it. It has no idea what code is running on the client, what type of user agent or environment it's in or even whether it's running your code or a facsimile.
You can take various steps to make spoofing more difficult, but you can't make it impossible. The cost of such measures (usually seen as "security") is usually balanced with the value of the asset being protected.
An idea I had was to use a game-timer. If the user changes the score to an amount that is obviously not possible given the amount of time that has passed, refuse to log the information. You could start the timer and check the timer in your server-side script.
Now of course if they change the score only by a few points this checking may fail, but, if they only add a less than impacting amount then maybe it won't matter to you as much?
Never put anything on the client. The client is in the hands of the
enemy. Never ever ever forget this.
-- The Laws of Online World Design
You could also make the leaderboard less important, by only sharing scores with 'trusted' friends. Or simply allowing people to share their score on any social networking site.
Maybe this removes the primary motivation to cheat in the first place.
You could then always compare the score implicitly with statistics you gathered, to tell if somebody is doing good or not.
Base64 encode your javascript page. That should stop people some people.
Link: http://www.opinionatedgeek.com/dotnet/tools/base64encode/
HTML5 will be widely adopted as a way to design games, is the prediction. But I have my questions about this: how can an online HTML5 game ever be secure?
Let me give you an example: imagine this platform game where you gain badges when you win, for example, an extremely hard level. When you have actually won this badge, a request is made to the server, in order to update your online profile. Isn't it extremely simple for a hacker to just send this request and gain the badge, without playing the actual game? Because:
The client-side source code is visible and impossible to hide
It is possible to execute Javascript from the command-line
I don't see a way to prevent this hacker from gaining his badge... Is there any way to make this game safe?
Yes, if you designed your game like that, it would be very easy to hack. But why is this specific to HTML5? You could do that with any type of game that was written like that. Even with a native desktop game you could still fake the request. The only difference is that faking HTTP requests is easier than reverse-engineering requests made by a desktop game.
The solution would be to add some kind of "validation" to the victory--the actual algorithm would vary from game to game. Maybe have the server track the game's progress while the user is playing. If it were a game of chess, for example, you could send every move to the server and have the moves validated to make sure they work out correctly. This gets more complicated with real-time games, though.
But whatever algorithm you decide to use, it will be defeated. Even the chess validation that I just mentioned could be bypassed: you could just "create" your own valid game of chess and just send the same moves to the server every time, ensuring that the game was valid. (This is assuming that the player is against a computer--having two humans play against each other would make things easier.)
It's no different from any Flash-based game or indeed a game with a downloadable client like World of Warcraft. Anything integral to the game's fairness has to be handled on the server.
One way that HTML5 can be more secure is that you can change it at any time. So let's say you have an AJAX call to provide a user with a reward. You could periodically change the signature of this call, so that 'cheats' would no longer work. Be sure to keep track of players that are still using the old API, and you can penalize the players using the cheats.
No, this won't solve all of your problems, and there are ways the most savvy players will be able to work around this (depending on how elaborate your changes are), but it does provide some way to deal with this, especially if your game requires significant investment. Players may not be willing to risk their progress if they feel like there is a chance they'll be caught. Just make sure you have a clear code of conduct that details punishments for cheating.