I am developing a small game (in Java) for a coursework and the extension I have decided to do is an online score board. As I thought might happen, a few people on my course have figured out how to hack the score board and submit their own scores.
I know there are a few problems in the current way of submitting scores, but here it is. The game generates a score, then does an HTTP GET on a URL with the options of the players ID, the score and a password.
I might changing this to be a POST as it might be more difficult to get the data for the password. Also, I am considering making it run over HTTPS (although I don't know if this is more difficult in Java). Unfortunately, this doesn't stop the main way that people found the password which was by decompiling the Java code.
I don't know the best way to prevent the hacking. I don't mind too much really, its not that important, but it would be nice to secure it so when the code is marked it doesn't have a load of spam on it.
What would be your suggestions on ways to obfuscate the code and/or secure the whole process?
Your approach simply doesn't work. When you need to secure something, you can't run it on the client.
Instead, the whole game must run on the server and users can only submit moves. That way, you can validate the moves (so players can't create illegal states) and calculate the correct score.
Everything else can always be hacked. If you don't encrypt the data, it can be hacked by using a network sniffer. If you use HTTPS, hackers can use a proxy to decode the data (man in the middle attack).
What one can do is changing from anonymous to user based tracking. This does not prevent faking, but makes it more trackable.
The basic protocol could be that a score board change is signed or encrypted using a session key. The session key is created upon logon of the player itself. Here you can work using an appropriate authentication system.
Now at least you know from which account a change has been made and can blame your student...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With