tags:

views:

104

answers:

3
+2  Q: 

html 5 games: can i secure the code somehow so the game itself won't be changed while playing?

Hiya. As far as I know, it's really not possible, but I just want to be sure before I'm moving to flash.

can I make an html5 game secure enough so people won't be able to change their score and other variables while playing?

thanks!

+1  A: 

Depends on the way your game is coded, but if all the logic is sent to the client and only the score returned then you have no hope. Only by returning the inputs and calulating the score on the server side can you try to prevent the users submitting any score they wish.

Don't forget, by definition the user must change their score or it could never be more than 0...

Colin Pickard  2010-08-02 11:04:49
This answer applies equally to HTML5, Flash, or any other way of writing a game.
Colin Pickard  2010-08-02 11:05:45
+1  A: 

since your users can see all the source code this is a rather complex problem. they can easily change any function or variable at runtime without your script ever knowing. even if use a complicated signing function to validate the results.

and i am sorry but i don't think colins way would work either. i could just change any input to make the server do whatever i want.

maybe a constant monitoring of the score thru the server would be able to detect any impossible changes. still someone cheating in the realms of "possible" results would be uncaught.

in the end i would say u can only make it rather difficult to cheat but not impossible for someone with a little bit of skill.

don't use it for any games where u can win something by scoring the highest.

since the matter seems rather puzzling to people:

flash delivers compiled swf files, that cannot (since flash 9) be decompiled to useful.smth so u can put a secret in there which you use to sign the score. i.e. send the score and the md5 of score+secretkey. so the server (which also knows the key, can check it). furthermore flash variables are not so easy to temper with (you would have to find them in ram and alter them there, which is a very complex task), while javascript vars can be easily edited using, for example, webkit developer tools

update

actually i correct myself => all swfs can be decompiled this just leaves us with code obfuscating and "encrypting"

i guess the world is a bad place after all ;)

elmac  2010-08-02 11:10:51
btw flash can be compiled so the user can't "look" inside any "secret" signing functions.and no i am not talking about the old swf decompiler stuff.flash 10 doesn't decompile to anything usefull
elmac  2010-08-02 11:16:05
I was with you until "don't use it for any games where u can win something by scoring the highest". That counts against Flash and most other web technologies. It's perfectly possible to intercept and alter the data going back to the server "with a little bit of skill".
Olly Hodgson  2010-08-02 11:17:37
yes but u can crypto sign the score send to the server with a secret unknow to the user.i.e. md5 of (score+secretkey) along with the score.in flash the user wouldn't be able to decompile the swf (since flash 9 or so) while in js the user can just look it up
elmac  2010-08-02 12:31:53
@elmac: can you show me a swf file that can't be decompiled?
arjan  2010-08-02 13:07:29
@arjantop after reading about latest decompilers for a while...it seems all swfs can be decompiled today...wasn't like that in the old days ;)so this just leaves us with the good old obfuscating and "encrypting"
elmac  2010-08-02 15:55:28
-1 This answer doesn't provide a solution or enhance the understanding of the question.
Jesse Dhillon  2010-08-02 19:50:25
A: 

There is no "depends", the straight answer to your question is "no" and I think my fellow answerers simply muddied the waters.

You cannot trust the client. With any language, whether you're writing assembly or HTML or Flash, you cannot trust the client. No matter how much you wrap your code in obfuscation and such, it can and will be figured out (and often quicker than you might think).

This is stressed everywhere and yet people keep getting bit by it. Online games get "speedhacked" because they don't check the velocity of players, or they get item duplication because they don't verify that a player actually has an item that they're trying to do something with, or the lame little flash games get hiscore entries of 9999999 because a simple tool like Tamper Data (a Firefox add-on) is all it takes to change the score as it's sent to the server.

You can't trust the client, whether HTML5 or Flash.

If it's a single-player game, let the player cheat. That is their decision. If it's a multiplayer game, the server verifies every step of the game and anything outside of the rules is thrown out. If it's hiscores, send a replay of the game to the server and analyze it for any cheating rather than sending just a numeric score.

Ricket  2010-08-03 17:13:34

related questions

Fixed vs. variable frame rates in games: what is best, and when?
Scoring Poker Hands with Deuces Wild
Rss feed for game programmer?
Is Java relevant in the game industry?
C# Game Network Library
Dealing with Latency in Networked Games
How do I model a chessboard when programming a computer to play chess?
OpenGL or Direct3D for a new Windows game project? Or something else?
Why is Lua considered a game language?
Incomplete information card game
What's the best toolkit for doing 2d game programming with Python?
Generating random terrain in Blender3D
Resources of techniques use for collision detection in 2D?
Browser-based game - Which framework to choose?
Secure Online Highscore Lists for Non-Web Games
Best programming based games
What could prevent OpenGL glDrawPixels from working on some video cards?
Recommendations needed for good AI references
Is Project Darkstar Realistic?
Suggested gaming platform to learn - Direct X (C++), Open GL or XNA
How do you separate game logic from display?
Automated testing a game
Alpha blending sprites in Nintendo DS Homebrew
Developing addins for World of Warcraft - Getting started?
Territory Map Generation