Obfuscation Techniques Are Not Enough: Building Robust High Score Validation
Obfuscation techniques like code obfuscation, user input sanitization, and simple client-side validations are often used by game developers to protect against hacking game scores and mechanics. However, skilled hackers can bypass these defenses leading to compromised game economies and leaderboards. More robust validation directly within the game’s core logic is required.
Reviewing Common Obfuscation Techniques and Why They Fall Short
Obfuscating game code aims to make it more difficult for hackers to analyze and modify execution flows. Common techniques include stripping symbols or names, encoding strings, flattening control flows, and inserting dead code paths. These impose an additional reverse engineering burden for hackers. However, dedicated hackers have automated tools that can analyze and de-obfuscate game binaries. Code injected dynamically is also resistant to static obfuscation defenses. Ultimately, code obfuscation only delays when protections will be bypassed.
Sanitizing improper user inputs is another approach to prevent code injections from client requests. But this is also largely ineffective once the game code itself is exposed. Hackers can identify validation points and directly invoke internal methods. Input management cannot protect internal state and execution flows.
Game clients also often implement score validation locally before sending to servers. But hackers can easily bypass client-side protections by modifying the game binary directly. These validations give the illusion but not reality of security against hacking.
User Data Vulnerabilities in Game Design
A core reason obfuscation defenses eventually fail is that game mechanics require user data. Game state must reflect in response to user actions to drive gameplay and scoring. This creates innate vulnerabilities in exposing and changing state values.
For example, strategy games have visibility into resource levels, unit stats, tech trees researched, and complex simulation states. Shooters track health, ammo, accuracy percentages, etc. Even simple mobile games track progress, power-ups unlocked, currencies, and more. Each element the user sees, interacts with, or has impact game outcomes is a potential target for hacking.
Further, stored user data for profiles, certain game modes may be persisted insecurely. Staging or transitional values during gameplay events also create windows for state tampering. Obfuscating code itself cannot address these fundamental design-level vulnerabilities.
Building Validation Directly into Core Game Logic
To effectively mitigate hacked game states, validation has to be deeply integrated at key execution points. Critical transitions in game state must be verified before and after occurring at a logical level, not via superficial protections.
For example, a hacking tool tampers with arrows in an archery game before they get fired to set them on perfect trajectories. To combat this, directly validate arrow initialization state right before launch. Then re-validate after impact to confirm expected results. Any mismatches expose state tampering.
Likewise if extra resources get hacked into an RTS, validate gathered amounts at time intervals. Confirm buildings show costs properly, grid power values match expectations per tick, etc. The game modules have the best contextual state insight to perform these reasonability checks.
Integrating more validations drives up complexity for hackers to unweave cheat modifications from normal game flows. They must deconstruct validations and then re-construct hacked states to satisfy them all for undetectable cheating. Expanding this technical debt makes hacking economically unviable for most.
Example Implementation: Server-Side High Score Validation
Leaderboard scores offer perhaps the highest incentives and visibility for hacking. They lead to community status benefits, disproportionate rewards, and are public records of player progression. As such high scores require robust server-side validation before global publish.
Consider an endless runner game recording distance scores across attempts. Each device collects scores locally then synchronizes them to the cloud after. But locally stored scores leave ample room for tampering before they ever reach backend validation.
To address this, build a projection model locally profiling distance per time unit historically. Locally validate scores by aligning to projected trends within tolerance thresholds before allowing them. Outliers suggest tampering and exclude from leaderboards.
The server can perform more sophisticated validation leveraging aggregations across the global user base. Simple statistical filters identify extreme outliers mathematically for deeper inspection before finalizing. Running behavioral change detection across player score time series could indicate sudden unrealistic spikes.
These validations frustrate hackers by narrowing viable tampering windows down to narrow conditional branches in execution flows. This rapidly diminishes practicality.
Local Validation as a Secondary Defense
While server-side validation offers the most control, adding defense-in-depth with client validations provides additional protection, especially for real-time gaming interactions.
Having basic checks executed before state changes propagate can help block modified flows originating from client tampering. Although hackers can ultimately bypass client-side logic themselves, adding these speed bumps increases difficulty.
Consider if health thresholds get manipulated in a mobile fighting game. Implementing rapid local checks that hero health delta changes stay within permissible ranges for nearby enemies can avoid directly triggering unwanted outcomes before the server responds.
While lag between client modification and server validation exposes some risk windows, adding redundant layered validations reduces them. Logging all intermediate suspicious states also allows analytics and bans of offending accounts.
Ongoing Maintenance for Evolving Exploit Methods
Exploits and hacking tools continually evolve requiring ongoing defense investment. As new game code vulnerabilities get discovered over time from updates, hackers weaponize them in novel cheat suites even against validations.
Plan to iteratively enhance validation points, diversity of checks, and detection patterns. Regularly inject controlled devious inputs to probe protections for weaknesses before hackers do.
Watch for unusual usage spikes, activity anomaly signals, and ban circumvention attempts as indicators of newer manipulation techniques requiring adjustments.
Prioritize costs appropriately against risks when adding validation friction during development. Unnecessary checks bog down system performance which also degrades player experiences.