I've just watched this video on youtube. As far as I understand hackers will always be able to hack, however I'm looking for a solution to improve my Games security.
I do not want users to be able to change their coins. Would encryption or obfuscation be an option here?
I'm looking for a lightweight solution.
Please share what you know or have done to prevent (made it harder) this of happening.
I create a MD5 hash with the data plus a salt and store it on the database.
Example:
Score: 1234
Lives: 3
Calculate MD5 from: "fsjdhASd8adnsa9asdmasdsd#1234#3#AS88asdDA*ASD8ASdmas"
Store on the database: 1234|3|b7f67f11fed055cce28d6f50fd829e9c
When reading from the database, I concatenate the score and lives values with the salt that I know and check if it matches with the md5 hash stored.
Example:
Read score = 1234
Read lives = 3
Concatenate "fsjdhASd8adnsa9asdmasdsd#" + score + "#" + lives + "#AS88asdDA*ASD8ASdmas"
Calculated MD5 = b7f67f11fed055cce28d6f50fd829e9c
Calculate the MD5 from this string and check if it matches with the stored hash
If the score was altered to 9999, I would get hash 0d64ebead4451f826c15b5d03853f8da and hence it is not valid!
Obviously this is not infallible, the user might reverse engineer the code and change it, but it makes things harder!
Some people still try to modify it, but then I send a message to the server marking the user as a cheater!
The most reliable way would be to store the vital information server side and have the client interact with the server. Since these hacks are client side only when the client would try to buy something for coins you should ask the server if the server allows the purchase.
Of course this can be hacked by hijacking network responses, faking the server and what not if you don't add security measures in place. But at least this kind of hack will have no effect.
But encryptyion or obfuscation should work to some extent too since it won't be possible to search for the value, however if someone reverse engineers your App it won't be to hard to figure out how that is done too. ProGuard would probably make you a bit safer from that, but still server side will always be the most safe way.
