Flash & authenticity of hi-scores

Sep 1, 2005 // by Tuomas Artman // 1 Comment

Every time we create a campaign that contains some sort of game with a high score list we end up thinking about a perfect solution to keep cheaters out – especially if there are any good prizes to win.

The problem is always the same: How can we make sure that a score submitted has really been achieved playing fair? The weakest link is usually the part where Flash tells our back-end the actual score. There are a few ways of posting scores that we’ve used:

Issue a HTTP GET to the server, like savescore.php?username=someone&score=200.
Issue a HTTP POST to post the score.
Use some sort of cryptography. The Flash-client will make a initial call the the back-end, which will return a key. The flash client will then compute a hash-code using the actual score as well as the key (combining both in a pre-defined manner) and send the user name, score as well as hash-code back to the back-end. The back-end can then use the same method to construct the hash-code to check if it matches the one send by the (alleged) Flash-movie.

Even a novice user would be able to hack both the GET and POST methods using a simple HTTP sniffer and issuing a spoof HTTP call to the back-end.

The third one is far more complex. Sniffing at HTTP Traffic between client and server would not enable anyone to spoof the score, since the hash-code is used to authenticate the submission (make sure that the client has used the same algorithm as the server). But if the Prize is good enough, one could go through the trouble to decompile the Flash-movie and find out how it actually posts the score and create a new client that could be used to spoof scores.

Obfuscation makes it hard and making the algorithm that creates the hash-code more complex – maybe even dividing it up into multiple Flash-movies – would make it yet harder to break, but it would still be breakable.

What kind of measures do you undertake to ensure authenticity of hi-scores?