What can be done to secure an online achievement system on the client and server side? How can I stop a user from watching packets sent from the game and spoofing his own for achievements? Or editing the game memory with a trainer? Does anyone know how this might be done by Steam and Games For Windows?
I know you can't make the client side completely hack proof, but are there any reasonable precautions I should take?
Implementing secure achievements
As long as no achievement has been detected server-side, why should it matter what the client thinks?
I would recommend making the achievement acquisition require an encrypted dialog between the client and the server. The client says "Hey, I just got this achievement". Then the server says "Okay, tell me what these specific stats are." Then the client responds with the stats, and the server validates that they're sufficient to warrant the achievement.
Read up on how to handle encryption, public keys, and private keys, and you should be able to figure out something that will work for you. It won't be absolutely secure -- nothing is -- but it should take a bit longer for your abusive players to figure out how to break it.
Read up on how to handle encryption, public keys, and private keys, and you should be able to figure out something that will work for you. It won't be absolutely secure -- nothing is -- but it should take a bit longer for your abusive players to figure out how to break it.
Author
Well it's not a multiplayer game. So the server is not recieving game state data. Is the best way to handle this sending the relevant memory locations to the server? Sounds like it would kill framerate.
It baffles me that "security" and "single player" ever share the same project. Why do people insist on protecting the single player experience? People cheating to obtain achievements is like a little league team purchasing trophies because they don't feel like playing the season to earn it. The achievement has significance because of where it comes from, not the achievement itself. It is a recognition from the game itself that something was accomplished. If people want to hack and give themselves achievements, who cares? You cannot save these people's self-worth issues by implementing achievement DRM. Little league trophies are extremely cheap and fragile, but they have meaning because they represent the hard work put in that season. Video game achievements are the same way.
Single player games can still have public leaderboards, in which case it may still be important to protect the achievement awards. That's what I assume the OP was talking about.
Quote:Original post by TheBuzzSaw
It baffles me that "security" and "single player" ever share the same project. Why do people insist on protecting the single player experience? People cheating to obtain achievements is like a little league team purchasing trophies because they don't feel like playing the season to earn it. The achievement has significance because of where it comes from, not the achievement itself.
I find it interesting why people here often tend to assume this or that once a person asks a specific question.
Why couldnt it be possible share the same project even if the game is single player? We have implemented several single player mobile games with hiscore upload and achievements which have been tailored major campaigns different places world wide. In many of the campaigns, a key element has been competitions to win a prize of some kind. Although its not possible to make it completely hack proof, it is still important to make sure you secure this enough to make it unlikely that the less skilled "hackers" will manage to cheat, while putting enough speed bumps for the more skilled ones so it will take to much effort to gain anything (like that the competition will be over before they break the code).
@OP - I am by no means any expert in this area. What platform/language are you targetting? This is not highly relevant, I am just wondering as in many cases you already have tools helping you on the way encryption part like using HTTPS to send your data. If you do not have the possibility to use HTTPS for instance, what we have done is to compile in either an encryption key or algorithm directly into the code. Though it should be noted that this is a bit like putting your car keys on the roof of your car and thinking no one will manage to steal it :) But it still prevents the less skilled ones from hacking the game easily. The more complex variants are of course to implement some keyexchange algorithms but this can easily be taken down by the more skilled ones using some man in the middle tricks.
So, unless you have a specfic reason to secure the data extremly tight, my opinion is that it will be just fine to implement some simple key generation hack or compile in the encryption key into your code which is used to encrypt the data before sending, together with some tools for reporting suspicion values on the server side.
But like I said, I am not any expert in this but this has worked fine for us :)
Cheers!
Quote:Original post by TheBuzzSawThe other players on the global leaderboards. Any game that attempts to foster competition in highscores/achievements needs to provide at least some guarantee that other players are competing legitimately.
If people want to hack and give themselves achievements, who cares?
In reality, the only way to guarantee this is to make the game play of all ranked matches occur on the server, but without such draconian measures you can still provide at least deterrents to potential cheaters.
I suppose I don't play any single player games with public leaderboards. I just don't care about such achievements, but I see why security is a desirable thing in this case.
Quote:Original post by swiftcoder
In reality, the only way to guarantee this is to make the game play of all ranked matches occur on the server, but without such draconian measures you can still provide at least deterrents to potential cheaters.
I second that. Well said swiftcoder!
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
