11

Back story: I'm planning to implement a casual game to be deployed in a webapp, but I don't want to use Flash, instead just plain Javascript. One benefit of Flash that I would want though is that it distributes a binary and not the source code so it's easier to protect your code from being reused/stolen by somebody else, or to prevent the client from modifying the code to "cheat" in the game?

So my question is: what are the ways to similarly protect a Javascript application? Am I limited to the usual methods of using a code obfuscator? Will that be enough?

Roy Tang
  • 5,643
  • 9
  • 44
  • 74
  • 8
    Downvoter: downvotes are for bad questions, not questions about something you don't want people to do. There's nothing technically wrong with this question. – Pointy Jul 28 '10 at 19:55
  • 2
    I don't think it's going to be particularly possible. As you say, there are obfuscation techniques. But at some point the browser has to be able to see the code to interpret it, which means you have to supply the code to the client. – David Jul 28 '10 at 19:56
  • @Roy Tang - obfuscating is all you can do. Be careful, because some obfuscators do some fairly silly things and can make your code run slower. They also do little to really "protect" your code. If you consider your code or some implementation techniques to be valuable, don't deliver it as Javascript in a web page. – Pointy Jul 28 '10 at 19:57
  • Sorry, edited: Another concern I have is to prevent "cheating" by people who know Javascript. Note: I don't want to know how to obfuscate, i already do. I want to know if there are other options. – Roy Tang Jul 28 '10 at 19:58
  • Don't post it on the internet! :) – meder omuraliev Jul 28 '10 at 20:02
  • 1
    @Roy Tang: To prevent cheating, the only real option is to have the game engine run server-side and validate all input. Never implicitly trust what the client machine tells you. – David Jul 28 '10 at 20:03
  • Roy, I voted to close this question, but with the wrong duplicate. There are far better answers in [How to prevent your Javascripts being stolen, copied, and viewed?](http://stackoverflow.com/questions/1660060/how-to-prevent-your-javascripts-being-stolen-copied-and-viewed) – Marcel Korpel Jul 28 '10 at 20:06
  • Thanks for all the replies. I'm satisfied that there's really no way to go further, so I'll just accept the AJAX answer as that's what I'll probably be doing. – Roy Tang Jul 28 '10 at 20:14

3 Answers3

3

A code obfuscator is about all you can do. No matter what you do, the executable code will/must be available in the browser.

Byron Sommardahl
  • 12,743
  • 15
  • 74
  • 131
2

Use AJAX to have your game verify against server code you control. This is also useful if the game is multi-player in someway. Verification prevents someone from changing the code in order to cheat.

Also Flash is not immune at all from being taken by someone else. People can download the binary and post it wherever they want. And Flash de-compilers do exist and are quite effective.

Cfreak
  • 19,191
  • 6
  • 49
  • 60
  • this, I like the idea of - do you have any more info? – Barrie Reader Jul 28 '10 at 19:59
  • Thanks! I was already considering this, but it means syncing my game state back to the server with an ajax call with every state change...it might have a large amount of requests, so I was wondering if there were alternatives. – Roy Tang Jul 28 '10 at 20:01
  • @Roy – In that case: what kind of game is it? – Marcel Korpel Jul 28 '10 at 20:09
  • @Neurofluxation - Just at a high-level I'm not sure what more I can give. I think an actual implementation would change depending on what you were doing. For instance if your player has a power level, storing that information on the server and validating that the power level is the same (or at least in line with what the player should have) – Cfreak Jul 28 '10 at 21:30
  • 1
    @Roy - Not necessarily ... The only time you really need to validate is when you load the game (to make sure it's not running on an unauthorized server) and then any time there's an interaction between two players. State changes only affecting the player himself shouldn't be a problem. If the player tampers with it, it might affect what he sees but all will be put right when the server validates at an interaction. – Cfreak Jul 28 '10 at 21:33
0

Why, specifically, do you want it to be in JavaScript? You can use node.js to run JavaScript code server-side for the protected stuff and interact with it from client-side JavaScript.

David
  • 208,112
  • 36
  • 198
  • 279