question

brendan avatar image
brendan asked

How to prevent cheaters from being rewarded?

Question from a developer:

I'd like to use the prize table system to give prizes to users with the best scores, but how can I know who is using tools like LuckyPatcher, so that I don't provide rewards to cheaters?

Leaderboards and Statistics
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Preventing cheating is a topic that has been written about fairly extensively. Ultimately, anything that the client is authoritative concerning must be considered suspect to some degree, up to and including controller inputs. So even in the case of a game where all logic is managed on a dedicated server, the use of "bots" to evaluate the game state and so react to it faster than most people can is a well-established cheating technique.

What you have to do is decide how secure you need your game to be. It's a balance of a few factors, including cost (the most you move the logic to be server-controlled, the more that drives the cost up), inconvenience (some anti-cheat tech introduces delays to gameplay or additional steps the player has to take to get into the game), and the most basic - how much cheating impacts the enjoyment of your game for players. For games where competition is a key element, cheating can kill the game experience for many players, driving down your retention. For those games, I would highly recommend moving the game logic to a dedicated server, so that you have as much control over it as possible, and can continually update it to look for behaviors you identify as being those of cheaters. Apart from that, it's really a sliding scale of how much you want to invest. One truism of cheating that is the same for security in general is that no matter how tall a wall you build, if there's a sufficient reward, there's always someone willing to build a taller ladder.

After determining that, the next thing to do is to make sure to set up appropriate monitoring of your player base, to look for cheating behavior and so take action to both prevent it and remove players who engage in cheating. For that, our PlayStream is one of the most powerful tools you have, as it gives you the ability to track on all player actions in the game and perform any complex evaluations on that data.

3 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

madtersinister avatar image madtersinister commented ·

Hey just curious to know how you gonna block apps like freedom and luckypatcher from making free in-app purchases. These apps create fake certificate to pass RSA verification. I don't think there can a way around it unless you setup a payment gateway for the in-app purchases

0 Likes 0 ·
brendan avatar image brendan madtersinister commented ·

PlayFab is not a payment provider. We integrate with payment providers. So, in the case of receipt validation (iTunes, Google Play, Amazon, Windows), we provide for secure receipt validation. If the receipt is bogus, or has already been used, the player won't get any items/VC. For consoles, we have entitlement checks, which are effectively the same as receipts. For other platforms, we have the StartPurchase process, which is also secure.

If you can provide a specific repro case that enables getting something the player didn't pay for, feel free to let us know. But PlayFab was designed from day one with security in mind.

0 Likes 0 ·
brendan avatar image brendan madtersinister commented ·

Now that I've had a chance to look at the write-ups of those tools, the answer is actually extremely simple, and matches what I was assuming: Those tools only work if the client is authoritative. In other words, if your game uses our service as intended - having the online data and catalog/inventory be the authority, only ever add items/VC to the player via our purchase flow API calls or secure server-authoritative logic, you're fine.

An example of client authority would be if the client device makes the call to Apple/Google to validate a purchase receipt, and then grants the item to the player locally based on the response. That's trivially easy to cheat, and one of the main things those tools do. When using PlayFab, you send the receipt to us and we take care of everything - validation, re-use check, etc., and then we add the item to the player inventory and only then return the information to the client on what was rewarded. Since the information on what the player owns lives on our side, those tools are unable to affect that.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.