Flash and Highscores

[Ellie]

Hi, I was wondering what people generally do with high scores for flash games. I imagine they would be easily hackable, with tamperdata and such, and yet tons of flash arcades exist on the net that don't seem to have been compromised.

I plan (or hope to) implement flash files as minigames within Vengeance, which is a browser based game, to add something different and fun. But if submitting scores/data isn't secure then there is little point.

 

[gRaViJa]

Maybe switching to html5 for minigames is a solution? HTML5 is not yet complete but is useable already. And if you prefer to work with flash for these things you can also use Adobe Wallaby to convert Flash into html5. It's all still in beta, but it's very intresting for the near future.

 

[DeM0nFiRe]

Heh, that doesn't address his issue at all. He is concerned about the fact that the actual game is on the client side and it has to send the score information to the server. Whether you send it via HTTP or Sockets, the client can fake the data. The same issue applies to HTML

I've never tried to secure a flash game, but here are a few thoughts of mine.

What you can try doing is not just sending score information, but sending some information about the game itself. Send some information about how the score was achieved and check to see if the data actually makes sense. This would require doing special work for each individual game, though, which would not be ideal. Another option would be simply monitoring scores to see if those are reasonable. I am not sure how you could guarantee that scores cannot be tampered with, you can really only make it less easy, I think. The problem is that you are assuming a corrupt client, which means most well tested means of security don't really work.

Other key things to consider are that your flash game can and will be decompiled, so make sure that there's nothing in the flash file that gives away any information about what happens on the server side. Basically, you just want to send whatever data the server needs and let the server do as much processing as possible.

 

[gRaViJa]

Heh, that doesn't address his issue at all. He is concerned about the fact that the actual game is on the client side and it has to send the score information to the server. Whether you send it via HTTP or Sockets, the client can fake the data. The same issue applies to HTML

If you work with html5 + PHP you can use things like https and encrypt scores with md5 and at least a part of the game will be PHP aka serverside? I haven't made anything like this yet, but i think the previous things can be handy tools to secure a game.

 

[DeM0nFiRe]

Part of the game would be serverside with flash too. Also, HTTPS doesn't help if we are assuming that the client is corrupt. HTTPS only helps if you assume the client and server are clean and everybody else is what you are worried about. As far as hashing the scores with MD5, that would just do nothing because you still have no way to know whether the MD5 you get is right. Someone could just hash fake data and send it.

 

[gRaViJa]

i see where you're going to :smile: