Is config encryption enough to prevent cheating?

edited January 2012 in Help request
Thinking a bit toward the future, as usual..

We want to add support for Apple Game Center in our iOS game. Possibly in a version after 1.0, depending on progress.

(Side note: I was able to create the Game Center view yesterday by creating a UIViewController in Objective-C and adding it as a Subview to the orxView instance)

Now, one important thing for Game Center support is it must account for playing offline or playing on a poor quality network. So the GC objects must be stored if the network is unavailable and then sent later when the network is available again.

I was considering using the Orx config encryption system to store the Game Center Objects when it is necessary. Encryption is required to prevent the user from modifying the data before it is sent, e.g. cheating by altering his high score or completion time.

I think the encryption should be strong enough that it's a reasonable way to store these data that must be protected from the player. Agreed?

Comments

  • edited January 2012
    I see.

    Btw, if you feel like sharing how to embed Game Center or even write a wiki tut for it, don't hesitate. I'm sure a lot of people would be interested. :)

    As for the encryption orx gives, it's pretty basic and only as strong as the private key you use (the longer/diverse, the better).

    If someone has access to your game binary they could still try to locate the key either by disassembling the code (but it's pretty easy to hide it in that case) or by stepping through the code, in which case there's nothing you can do about it.
    But as long as you have a private key stored with the binary, no matter which encryption scheme you're using, the problem will be the same.

    What I'd do would be to use orx encryption + some CRC control on the decoded string to make sure it's valid. It's still not unbreakable but is likely to prevent 99.99% of your players from cheating.
  • edited January 2012
    iarwain wrote:
    I see.

    Btw, if you feel like sharing how to embed Game Center or even write a wiki tut for it, don't hesitate. I'm sure a lot of people would be interested. :)
    I'll definitely share the information once I get it right myself. Turns out I have spend some time learning Objective-C after all :laugh:
    What I'd do would be to use orx encryption + some CRC control on the decoded string to make sure it's valid. It's still not unbreakable but is likely to prevent 99.99% of your players from cheating.
    Let me see if I understand what you mean. Would the procedure be like this?
    1. Create a config section representing the Game Center object
    2. Calculate the CRC on this section and store CRC for use when network is available
    3. Encrypt config
    4. ...network becomes available...
    5. Decrypt config
    6. Calculate CRC on decrypted config section
    7. If first CRC and second CRC match, send data to Game Center
  • edited January 2012
    acksys wrote:
    I'll definitely share the information once I get it right myself. Turns out I have spend some time learning Objective-C after all :laugh:

    Hehe, yeah, sorry about that, the joy of wanting to add social features to your game on iOS. Good luck with that. :)
    Let me see if I understand what you mean. Would the procedure be like this?
    1. Create a config section representing the Game Center object
    2. Calculate the CRC on this section and store CRC for use when network is available
    3. Encrypt config
    4. ...network becomes available...
    5. Decrypt config
    6. Calculate CRC on decrypted config section
    7. If first CRC and second CRC match, send data to Game Center
    none

    That sounds good to me! You can also create more than one CRC and store them in config properties and a CRC on the CRC block itself, just to make it more annoying for people that really want to temper with your data. :)

    As for the encryption key, copy a paragraph from a book and instead of storing it directly in code you can first deface it a bit like xoring it with a const of a string that's in clear in your game (like the title) or even by transforming it to a list of floats (by normalizing their ASCII value, for example) that will make it almost impossible to spot in the disasm code/data and will require actual code stepping to get.

    But really, it depends how hard you think your players are going to try to temper with the scores. :)
  • edited January 2012
    Did you actually look how Apple suggest to handle this situation? Because I can't believe they did not take that into account ;)
    I'm pretty sure Game Center APIs should have some built-in features for saving scores locally and preventing users from cheating.. otherwise what's the purpose of Game Center API after all? :)

    HTH,
    Alex
  • edited January 2012
    That sounds like a wise recommendation and I have no idea what Game Center offers.

    I still think my advice wouldn't be too bad in other non-Game Center-related attempts of storing local info though. :)
  • edited January 2012
    Ah.. well yes, I may have gotten ahead of myself there.

    The GameKit documentation does recommend using the NSCoding class to encode the GC object, but there isn't a mention of encryption, or I missed it. Maybe Apple doesn't think anyone actually jailbreaks their iOS.

    However, it looks like the iPhone SDK does include encryption libraries that can be used for this purpose, and a good discussion of that is here: http://www.cocos2d-iphone.org/forum/topic/6982

    With that method, though, the "key" would still be contained in the source code, so iarwain's suggestion of CRC would still add some security. This is interesting anyway for implementing a social component independent of a service like Game Center...

    This is all theoretical at the moment, though. I would like to have the problem that thousands of players are competing so hard in my game they are willing to go to such great lengths to cheat :)
Sign In or Register to comment.