5

As far as I know, it's really not possible, but I just want to be sure before I'm moving to flash.

can I make an html5 game secure enough so people won't be able to change their score and other variables while playing?

thanks!

ufk
  • 30,912
  • 70
  • 235
  • 386
  • 2
    (Possible) duplicate of http://stackoverflow.com/questions/2978976/html5-multiplayer-game-security-solutions. Please, don't move to Flash because of "security through obscurity". Flash games can be as easy or easier to cheat with. – MvanGeest Aug 02 '10 at 11:02
  • 2
    How do you expect Flash to prevent cheaters from submitting fake scores? – Jesse Dhillon Aug 02 '10 at 11:03
  • yeah i guess you are right. both flash and html games needs to have a strong game engine at the server that actually receives all the movements and buttons placements that you press and the server should send the user the scores, not the other way around. – ufk Aug 02 '10 at 13:00
  • They don't need to receive each button press, they just need to receive a client's reported state and verify that the state they claim to be in is legitimate. `E.g.` they are not trying to claim that they went from 50 health to 5000. – Jesse Dhillon Aug 02 '10 at 17:28

4 Answers4

8

There is no "depends", the straight answer to your question is "no" and I think my fellow answerers simply muddied the waters.

You cannot trust the client. With any language, whether you're writing assembly or HTML or Flash, you cannot trust the client. No matter how much you wrap your code in obfuscation and such, it can and will be figured out (and often quicker than you might think).

This is stressed everywhere and yet people keep getting bit by it. Online games get "speedhacked" because they don't check the velocity of players, or they get item duplication because they don't verify that a player actually has an item that they're trying to do something with, or the lame little flash games get hiscore entries of 9999999 because a simple tool like Tamper Data (a Firefox add-on) is all it takes to change the score as it's sent to the server.

You can't trust the client, whether HTML5 or Flash.

If it's a single-player game, let the player cheat. That is their decision. If it's a multiplayer game, the server verifies every step of the game and anything outside of the rules is thrown out. If it's hiscores, send a replay of the game to the server and analyze it for any cheating rather than sending just a numeric score.

Ricket
  • 33,368
  • 30
  • 112
  • 143
2

since your users can see all the source code this is a rather complex problem. they can easily change any function or variable at runtime without your script ever knowing. even if use a complicated signing function to validate the results.

and i am sorry but i don't think colins way would work either. i could just change any input to make the server do whatever i want.

maybe a constant monitoring of the score thru the server would be able to detect any impossible changes. still someone cheating in the realms of "possible" results would be uncaught.

in the end i would say u can only make it rather difficult to cheat but not impossible for someone with a little bit of skill.

don't use it for any games where u can win something by scoring the highest.

since the matter seems rather puzzling to people:

flash delivers compiled swf files, that cannot (since flash 9) be decompiled to useful.smth so u can put a secret in there which you use to sign the score. i.e. send the score and the md5 of score+secretkey. so the server (which also knows the key, can check it). furthermore flash variables are not so easy to temper with (you would have to find them in ram and alter them there, which is a very complex task), while javascript vars can be easily edited using, for example, webkit developer tools

update

actually i correct myself => all swfs can be decompiled this just leaves us with code obfuscating and "encrypting"

i guess the world is a bad place after all ;)

elmac
  • 228
  • 1
  • 5
  • btw flash can be compiled so the user can't "look" inside any "secret" signing functions. and no i am not talking about the old swf decompiler stuff. flash 10 doesn't decompile to anything usefull – elmac Aug 02 '10 at 11:16
  • I was with you until "don't use it for any games where u can win something by scoring the highest". That counts against Flash and most other web technologies. It's perfectly possible to intercept and alter the data going back to the server "with a little bit of skill". – Olly Hodgson Aug 02 '10 at 11:17
  • yes but u can crypto sign the score send to the server with a secret unknow to the user. i.e. md5 of (score+secretkey) along with the score. in flash the user wouldn't be able to decompile the swf (since flash 9 or so) while in js the user can just look it up – elmac Aug 02 '10 at 12:31
  • @arjantop after reading about latest decompilers for a while...it seems all swfs can be decompiled today...wasn't like that in the old days ;) so this just leaves us with the good old obfuscating and "encrypting" – elmac Aug 02 '10 at 15:55
  • -1 This answer doesn't provide a solution or enhance the understanding of the question. – Jesse Dhillon Aug 02 '10 at 19:50
1

One Thought!!

You may use Knockout.js to modify your score and other variables as observable properties. The steps are:

  1. Create ViewModal for your game
  2. Create observable properties for all the variables (i.e score)
  3. You need to store the score in cache so that you can access it when new score arrives.
  4. Attach custom subscriber to these properties and write logic to check the score should be updated by a "UNIT" at a time ( by unit I mean, how you suppose to update user's score at a time). The difference between the last score and current score should not go beyond the "UNIT"
  5. update scroe as ViewModal.Score(newScore); //this would fire an event to the subscriber of observable property.!
Vijay
  • 2,965
  • 1
  • 15
  • 24
1

Depends on the way your game is coded, but if all the logic is sent to the client and only the score returned then you have no hope. Only by returning the inputs and calulating the score on the server side can you try to prevent the users submitting any score they wish.

Don't forget, by definition the user must change their score or it could never be more than 0...

Colin Pickard
  • 45,724
  • 13
  • 98
  • 148