Saturday, 7 February 2009

Silverlight Secure High Score Service

Just to qualify this, I'm not building any games but it has occurred to me that there is a challenge in building a secure High Score Service for games.

I'm now of the opinion that it is probably such a challenge for the average casual game developer, that is probably worth someone developing a service (and library code), for other casual game developers to use.

Here is the reason it is a challenge.  If you implement a simple service where the Silverlight Application simple sends back the high score to the server, it is easily manipulated.

Just grab Fiddler, capture the request, modify the high score, and send it back.

So now to stop this sort of attack you need to bring in lots more mechanisms.

Some thoughts are:

  • Encryption
  • Capturing of in-game data
  • Hashing with GameId
  • Hashing with SessionId

I guess it depends how far you want to go, total security, or enough of a deterrent.

Even if the request is encrypted and cannot be tampered with, you could reflect the game and work out the logic.

I will ponder this some more, however

4 comments:

ITBytes said...

Hi Chris, I'm looking at the same thing myself. I've gone the ASP.NET membership route. So far so good, but It does require the game user logs in. But that's pretty much what a lot of modern games force you to do these days.

chrishayuk said...

The ASP.NET Membership route still doesn't prevent the user from modifying the high score.

All you need to do is capture the request in fiddler (including your session id), and then replay the request (still in fiddler) but modify the high score to the value you want (if it's in the clear, and no levels of encryption).

The ASP.NET Membership is totally reliant on the passed session id, which you can capture in fiddler and replay as you require.

chrishayuk said...

Looking into this further, seems like the Flash games community has the same issue.

They seem to have concluded (roughly the same as I have), it will not be totally secure but at least you can make it harder

ITBytes said...

Yes you're right, the membership provider restricts the cheating to you! So as you say you'll still need some form of deli-token style protection. If the game can request a token at the start of each game then this might be easier to implement.