Menu
I'm building a server-side API and client-side library for a JavaScript-based game where two very important features must be secured.
Solving the first problem seems simple; at the beginning of each play we hit the API, debit the user's account and return a unique Play ID. When we submit the user's score for that play, we pass the ID issued at the beginning.
The second one has me a little stumped. Initially I considered a client-side hashing algorithm based on the ID and the score, but quickly realized that the Javascript that produces the hash could easily be reverse-engineered, even if it was obfuscated. At this point I considered a small flash component that generates the hash, but I've heard that even compiled flash can be decompiled.
For added context, I plan to build the server side API in Ruby.
I'd love to hear any suggestions the clever programmers of Stack Overflow have to offer. Thanks for your time!
Edit: The answer by Homer6 below is a very good solution for more sophisticated games, but unfortunately the simplicity of this game doesn't merit a method like that. It's a very short-play time based game, so the score is just the time it takes you to complete a level.
638
Make the server-side part of the game.
You could make the API only receive actions in the game. So the scoring is done server-side. While this will be more intensive, it's harder to fake.
Of course, people could still write bots for it if they're clever. This also adds the latency of server interactions to the gameplay. If there's a way to make the requests non-blocking, it may work.
HTH
135
As a rule of thumb just assume that anything in the client side can be faked.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
