views:

234

answers:

1

With all the recent hype about JavaScript and HTML5 replacing Flash, I wanted to know - How would it be possible to protect client-side js code? Of course, it is possible to obfuscate it, but that would only make it a little harder. Also, for games which submit high scores to the server, wouldn't it be incredibly easy to modify those scores before they are sent to the server? I know even Flash files can be decompiled, but they can be obfuscated and flash decompilation is not as easy as modifying data in JS - could be done easily using a plugin such as Firebug. I'd like to know everyone's views on this.

+6  A: 

Javascript, being parsed on the client, is never 100% safe. There will always be ways to find out what it does. A few days ago I've even seen a tool which unpacks packed javascript so the only thing you can really do is using "ugly" variable names (or actually, make a javascript packer transform your "good" variable names into short/ugly/nonsense ones)

To protect game results, you have to move some of the game logic to the server so the client cannot send arbitrary results.

Summarizing it: Don't put secrets in javascript code and don't trust anything coming from the client - no matter if it's from a form or generated/submitted via javascript.

ThiefMaster
Thanks. Even if I do move some of the game logic, the algorithm to generate data to be sent to the server is still very open. Also, wouldn't this be a big factor in the adoption of HTML5 especially with regard to games? Why/How are people predicting that flash is on it's way out?
Evans
Flash is almost as insecure as javascript. There are good actionscript decompilers out there and even if that wouldn't be possible, you could still sniff the request sent to the server.Besides that, lots of flash games are just for fun, not for rewards etc. so it doesn't matter at all if people cheat there or not.
ThiefMaster
Sorry for asking this repeatedly, but wouldn't this be a huge factor for HTML5 adoption? Also, sniffing out the request isn't as easy as viewing the source. Plus, There are flash game portals where getting high scores could fetch you money, so cheating would matter there.
Evans
Those sites will most likely stay with flash or add sanity check to the server-side.For example (depending on the game of course) you could ensure there's enough time between the game start and end. And obviously only sensible scores should be accepted - i.e. rejecting unnaturally high scores.Besides that: someone who wants to cheat on such a site to get more money/rewards WILL sniff. It might be even easier if there's no sanity check currently because of a developer relying on data from flash being trustworthy than with more readable code whose response isn't simply accepted as valid.
ThiefMaster