Flash Client-Server Security

Question

My client wants to create an online Flash game. Once they have completed the game, they are awarded a score, which is passed and logged on a server. This score determines whether they win a prize at the end of a set period, depending on the scores of other players.

I need to consider a situation whereby a user wants to cheat by intercepting and modifying the data that is sent to the server. Although I have considered, and would obviously use HTTPS, this wouldn't prevent the actual player from doing this.

It seems to me, that I can't have any kind of secret that the server has knowledge about within the Flash, as this will accessible to the player.

Even though a lot of people on this site seem to be suggesting it in other posts, I am not sure that using an obfuscator is an option due to the value of the prizes at stake. We have used this technique before for lower value prices.

Any pointers, suggestions, ideas would be appreciated. I am sure there must be a known solution?

Answer 1

The ultimate solution is if the server acts as a GM, but that is obviously an expensive solution. There are relatively similar things you can do that will cost substantially less and have reasonably similar security.

The flash game could keep a log of all the events that occur in the game, and that log could be submitted with the score. You could then use server-side code to validate the circumstances that led to the high score.

This would prevent any client-side code tampering from mattering. The only fault would be that someone could generate a log of a possible yet incredibly lucky or skilled game. This issue could be mitigated with a couple of extra techniques like, code on demand, and timely encryption/keys.