4

So, I have a hybrid game app, and I have a reward system in my game:

if(Date.now() - lastFreeCoinsTime > 3600000){ //lastFreeCoinsTime is also Date.now()
  giveCoins();
  lastFreeCoinsTime = Date.now();
}

Every hour you can get X amount of coins. what I found out it can be easily manipulated by doing the following: Phone Settings : change date(for example 18/03 -> 23/03) Now you can get the reward again. How can I avoid it?

user1938653
  • 611
  • 1
  • 9
  • 21
  • Use `redis` on the server to store whether the user already received the reward and set an expiration of 1 hour to the key; get the time from the server rather than the client; store the previous reward time in localStorage/sessionStorage/cookies and ensure `Date.now()` is not less than the previous time; don't let cheaters play your game ;-) – Rob M. Mar 17 '17 at 22:57
  • Check with an independent source that the user can't tamper with. – RobG Mar 17 '17 at 22:57
  • 1
    related "Getting the current GMT world time ": http://stackoverflow.com/questions/489581/getting-the-current-gmt-world-time – Stefan Haustein Mar 17 '17 at 22:57
  • 3
    you should store and load the coins server side anything client side can be tempered with – herriekrekel Mar 17 '17 at 22:59
  • With the caveat that once the JS is on the machine they can pretty much do what they want. Or set up a proxy to load an altered JS file on page load. Or just set a breakpoint. Etc. The ultimate source of truth needs to be on the server side. – Dave Newton Mar 17 '17 at 22:59
  • Are we talking about an app? in the browser `performance.now()+performance.timing.navigationStart` is not affected when playing with the system clock. Check out if this works for you. It won't finally fix the problem but it should take care of these stupidly simple time manipulations. – Thomas Mar 18 '17 at 01:02
  • Changing the system clock was an issue that plagued software-trial periods decades ago. Now in an inter-connected world, everything that requires actual actions that need to be saved or involves interactions with others (e.g., game, commerce), all require server-side verification. Otherwise, you could modify auctions, or do anything to hack time-sensitive operations. –  Mar 18 '17 at 01:28

2 Answers2

1

User rewards like this should be handled by an external server, something you control. That way you can keep track of your own time and other data, and the client (your game) gets information from the server as the sole source of truth. The downside is obviously that your users will need to have an internet connection to receive rewards. But as long as the core functionality of the game is playable without an internet connection, they can play the game while offline, and only need a connection for a small set of extra functionality (like rewards) it should be fine.

Consider whether it is really worth the effort of preventing your users from "cheating", though. If your rewards system is somehow designed to make you money with some kind of "freemium" model, then you obviously need to put a lot of thought into how you secure and control rewards. But if this is a casual or free game and the stakes are low, does it really matter? Only a tiny fraction of your users will actually take the time to try and cheat. And if they do, who cares? Let them play the game the way they want to play - it's there for them to have fun after all.

jered
  • 11,220
  • 2
  • 23
  • 34
0

I don't think you can avoid ths particular behaviour, but you can prevent someone from abusing it over and over, by reducing their coins again if the current time is ever before the lastFreeCoinsTime. If the creators of Candy Crush couldn't get round it, it's got to be pretty tough.

Michael Evans
  • 971
  • 1
  • 13
  • 30