Has anyone found a way to avoid leaderbaord hacking on Game Center or at least make it more complicated?
You can see a video of HackCenter, a Cydia app that lets you submit any score you want here: Hack Center
Even though that application is not supposed to be available on the Cydia Store we've all seen scores that are obviously fake on several games on the AppStore. Unlike the score submitted on that video, the fake scores are usually ridiculously high and they discourage other players, since they can never reach the top of the leaderboard.
I haven't been able to find out how the hack is accomplished (I presume they intersect the http call and just replace the score parameter with whatever they want?).
Any insight is appreciated.
The problem stems from allowing users to generate their own score data device-side. This would be a lot harder if all the score related calculations were done server-side and then posted to the score-board (I don't know how your app works, so I can't recommend a specific technique).
I think the BEST thing you can do is record data about HOW they got the really high score for review later by you. That may be impossible depending on your game's structure. It also might be forge-able depending on your games structure. For example, some game scores are impossible to get in-game just due to the physics on how the game works. This in my opinion is your best defense against it. Sadly, that requires monitoring it all the time....
Also, even if you can verify fake scores, someone could continually forge fake scores all day long and you'll never be able to keep up with it. Someones score submission bot will win in the end. It's not human, you are. It can post fake scores all day, you can't watch for fake ones all day, you can't verify 1000s of fake submissions. Trying to verify anything that is generated user-side (such as device ID, app being installed, etc...) is pointless. It can be forged. IP addresses are meaningless too. Your app is a on a mobile platform that can get a brand new IP all they want from the cell company. Tracking single legit real users is very hard if someone wants to hide from you because of this.
Maybe you can have some kind of app purchase verification with the help of Apple too. That would make it easier for you to ban offenders. They would have to pay you to forge your leaderboard, lol.
That's just my 2 cents, I hope it helps.
Because they're doing a http intercept, there's unfortunately nothing you can do. I've even found setting the max score for the leaderboard in itunes connect has no effect.
A game I worked on never serilaised the score to disk - so it couldn't have been changed there - and set max score to 30m. Yet the leaderboard was full with IntMax scores within hours of launching.
Hopefully Apple will have some fixes coming in WDC13 because as it stands, the worldwide leaderboards are useless.
You could try checking if the user has that thing installed I guess and then disable them from entering a high score if it they have the app.
I personally would just check for Cydia:
[[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:#"cydia://"]]
I am not sure what the url for Hack Center is exactly but, maybe you could try guessing it a couple times. I would guess 'cydia://hack_center' or something like that. And then once you find the url replace it 'cydia://' with it.
Have two hi score tables:those with cydia, those without :P
You can also set up your own server and use proper authentication and encrypted channels to upload score and then just compare whats in your server vs whats in GameCenter... You still need to clean up the leaderboard, but at least you will know what to remediate and which users to put on blacklist.
Related
Well like the title suggest I am having a strange problem with the api oauth2.0 I wanted to play with the API in the sandbox before deploying live like any sane person to start pulling call recordings. Well when I was setting up the Oauth and it was a pain but I got to work, or at least I thought until it asked me to add an address for the sandbox profile after accepting all the other steps in order to go any father. Every time I tried to add the address from the zapier login window it kept telling me it failed to try again later. I thought no big deal I will just add it from the user profile and well what do you know that didn't work either. I than made a new extension with a new number and email to see if it was just the account that was messed up, or if the dev account couldn't use the api for whatever reason but again no dice same problems all the way down. I even tried using three different browser to see if anything would change but no dice (not like that really matters everything is chrome based these days). I am wondering if anyone else has had this problem, did I miss something really simple that I am clearly over looking since I am running on 4 hours of sleep for the last two days.
If anyone could help I would appreciate it, love a very tired programmer.
In case anyone runs into the same problems, make sure when making a POST request to ring central you put the paramotors in the body of the request.
I apologise if something like this has been answered before, I just can't figure out a good way to word my question well enough to include all details about my problem.
I'd like users to be able to host servers for my indie game in a way virtually identical to, for example, Minecraft. I don't want any official servers, the game is mostly intended to be played with friends and not random strangers.
I've thought of many ways to accomplish this but I could never solve one important detail - I want the server to be able to remember users and put them where they left off when they reconnect (give them their character, the character's inventory, etc).
But any solution I could find or think of either made it potentially very easy to steal someone's character and connect to the server pretending to be them, or required me to make players have a way to register with accounts, something I can't afford to host myself.
I guess what I need is a way for the server to send a token to a new connecting player, and then have a way to see if the player sending that token back is the same person, and not an attempt to replicate the token. That to me sounds like public key cryptography, but the game engine I'm using doesn't seem to have any libraries for that (unsurprisingly), and I certainly am not qualified to make a library like that myself. But maybe there's an easier solution I'm somehow missing.
This might be a stupid question, but I hope it's worth a try asking. Thank you in advance for any help. Sorry I was so wordy by the way.
TLDR: I want users to host game servers that can remember reconnecting players without risk of players' progress being stolen.
If you have not already, look into sessions. Session cookies. But also setting up a basic log in system with php or whatever server code your server uses is not hard, and most basic hosting provide the mysql and php needed to do a basic log in page, you just have to code it yourself.
I was wondering if anyone has any experience of submitting location-specific apps to the Apple App store.
What I mean by location-specific is an app that only works when you are at a particular location. For example, a GPS tour of a historical battleground might have content that is triggered at particular lat/long coordinates when the user is at the actual physical location.
So my question is: In order to make the app be likely to be accepted on the app store do I..
(1) Not worry about it as there's evidence that the Apple Reviewers have some way of simulating the GPS. I can then supply lat/long coords to the reviewers so they can experience some of the content.
or (I suspect more likely)
(2) I Need to make it work anywhere in order for the reviewer to see at least some of the content (e.g. have a menu or map interface that allows direct access). This could be a 'secret' option explained in the review notes accessed via a special key combination or something.
Has anyone else run into a situation like this?
Regards,
Ben
Edit: Thanks for the responses. My app has now been accepted by Apple. Interestingly I didn't need to make the app work anywhere or add any new methods of using the app at all, they simply asked me for a video of the app in action. I made a YouTube video of the app (unlisted of course) and sent it to the reviewers.. and now it's accepted! I was very surprised that this is how it worked out!
I asked this same question (and answered it myself) a while back. I basically added a "Drop Pin" feature so the testers (and users) could pretend to be somewhere else.
I submitted an app recently that "works anywhere" (and uses GPS) but "works best" in New England when looking for data (on our server) that is near your current location. The app also supports entering a city & state or zip code to perform searches. So, in the submission, you can tell the reviewers how to test it, and we explained the nature of the app and how to test the functionality by using specific New England locations. The app was approved, for what it's worth.
Basically, when you submit an app, there is an opportunity to give the reviewers guidance. So definitely tell them what they need to know to make your app work for them, wherever they might be in the world! :-)
My friend proved it to me by taking the WP7 papertoss games and getting the .xap from it and then posting his own high scores.
Is there any fool proof way to stop this ? (I think xbox live integration makes hacking the high scores impossible but that is for special people )
It depends first of all how the high-scores are sent. I can only assume that what your friend did was take the XAP and modify some internal file or track the HTTP web requests that are used to send the scores to the centralized locations. I have two recommendations for you.
Encrypt. Don't keep scores in plaintext. There are plenty of strong encryption methods that you can take advantage of that will render the scoreboard useless unless the person who tries to read it has the key.
If you send the scores to a web service, never send it in plaintext (once again). From my own experience I can say that web requests can be easily altered and sniffed. So if I see that the app sends http://yourservice/sendscore?user=Den&score=500, I might as well invoke http://yourservice/sendscore?user=Den&score=99999999. Same applies if you plan on using headers.
Be aware, that using the Xbox Live services is only possible if you are a registered Xbox developer, and this is not easy to get.
First of all - is a high score list really that critical that you're worried about an edge case (the common person isn't going to have a dev unlocked phone with ability to modify the *.xap file)?
Second of all, no. There's no fool-proof way to protect your high score list if it is being stored locally on the device. The only way to protect the high score list would be to store it in the cloud via a web service or some other mechanism.
It is tricky to have a secure high score system since users can always modify information on the client side. It's impossible to prevent a determined hacker from looking at your code, but you can make it more difficult by obfuscating your code. PreEmptive's Dotfuscator is currently free for Windows Phone 7 developers and also has analytics built in if you want to use it. This will obfuscate your code and make it harder to read your code. Although it's not fool proof, it's an extra hurdle for hackers to overcome.
The obfuscation would make it harder to find the encryption key you're using to authenticate the high score.
I have developed a small software. I want to provide and run it commercially only. I want it to be run in the machines who have purchased it from me.
If someone copies it from my clients computer and runs it in next computer, I would like to stop functioning/running the software.
What can be the ways to prevent the piracy of my software?
Adaption of one of my previous answers:
There are a few ways to "activate" copied software to try to stop casual copying of the application.
In the most simplistic case, a registration code ("CD key") purchased from you, possibly via your website, and it is sent to the user who enters it into the program or installer. The whole process can basically be done offline; the program itself locally determines that the code is valid or invalid.
This is nice and easy, but it extremely vulnerable to key sharing - since there's no "phoning home" then the application cannot know that thousands of different people are all using the same key that they got off the internet or a serial library or their friend. It's also reasonably easy to make "keygens" which generate valid-seeming keys that were never actually issued by the developers.
Then we get into online registration. You still have some kind of code, but the program will phone home back to the server to determine whether the code is valid and usually unique. This stops basic key sharing, because the company knows if too many people from all over the world are all using the same key. Perhaps there is some kind of identification involved using MAC address, too, with infinite registrations allowed on the same hardware but maybe a limited number on what appears to be a different computer.
This is still pretty easy and stops simple key sharing. People will actually have to get into cracking the software or faking the server response to get past it.
Sometimes the program itself is partially/mostly encrypted and is only decrypted by the online registration step. Depending on how well this is obfuscated then it can be pretty difficult and time consuming to crack. Bioshock was a high-profile example of this - debuting with a brand new encryption/copy protection scheme that took around two weeks from release to be broken.
Finally, a particularly guarded application might stay in constant contact with the server, refusing to work at all if the connection is severed.
If you know for sure that all your users will all have reliable internet connections then it can be considered quite a strong way to protect the app, at the cost of privacy and some user distrust of the spyware.
In this case to get around the activation they would need to fake the server itself. Steam emulators and private WoW servers are an example of this.
And in the end, nothing is uncrackable.
In a nutshell: you can't.
Even very sofisticated systems (e.g. dongle keys) can be circumvented.
I guess your best call is to give a code to your customers and have an online check for that code, so that it cannot be used twice.
Of course, that can be circumvented too but...
As nico said you really can't.
A simple solution might be to generate (registration/activation) codes that are based on hardware or software installed on the particular computer - eg video card serial id or c:/windows creation time.
I have one idea may be it works.
What we can do, we will make an encorrupted database field and that field will be empty for the first time as soon as i install my software to some machine it will read the Mac Address + Mother Board Serial + Processor ID and make an encorrupted value with the combination of these three and write in to that field which i left empty for the first time use.
After that every time my application will read these three values and recreate the encrupptted value in the same manner and compare with the value of that database field. If the value of the database field and the value of the regenerated encrroupted field is equal, that means the computer is same other wise it is installed on some other machine in this case you delete all the code and can make the system unstable to punish the person also :) ...
Please let me know about your opinion about this idea.
The best way is to use some sort of hardware-locking in which your license code contains encrypted info about the machine on which it will run. Your software will then check for this info and match it with the current computer and if the match is successful, the license is deemed valid.
Sure, any scheme can be cracked by someone on the face of the planet, but that does not mean you shouldn't use a protection scheme.
If you are looking for a ready-made scheme for this, have a look at CryptoLicensing.
Companies such as ours (Wibu-Systems), Safe-Net, and Flexera (expensive) offer dongle-free solutions as well as ones based on hardware. But _simon was right in that a dongle is the only iron-clad protection. All software-based systems can be cracked; it's just that some are more difficult than others. Really good hardware-based solutions are effectively uncrackable. No one has yet cracked the CodeMeter stick unless the implementation was flawed.