question

jlanis86 avatar image
jlanis86 asked

Methods to reduce the likelihood of cheating

I realize this is partially outside the scope of PlayFab. However, I feel this topic is fairly relevant to a lot of developers here and I also feel this issue deserves to be discussed a lot more. The documentation is also pretty vague about this as well.

So without further ado, let me just jump right in. My understanding is that it is advised by the PlayFab developers to post scores via Cloud Script rather than letting the client use UpdatePlayerStatistics themselves, so that you can check things like:

1) Min/Max score

2) Time since the last score was posted

Ok, for the purpose of this discussion, let's say I have a very simple casual mobile game (like one of the many endless runners) and my goal is to reduce the likelihood of cheating on the leaderboards. If we follow the logic that anything sent by the client can't be trusted, then my question is: what other tools do we have available to check to make sure each score posted is valid?

For example, I could send the length of the player's last run along with their score, and check to make sure it is within a certain threshold in Cloud Script - but that is useless, because ultimately it's coming from the client which means that data could be compromised as well. So I'm wondering what other checks would be completely server-authoritative other than the two listed above.

Leaderboards and Statistics
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

It is, indeed. And the topic is one I've spent a lot of time discussing with developers over the years, in my time as a game developer, as the principal tech rep for Xbox Live, and now here at PlayFab. And the summary of all of that would be that there's no practical way to completely eliminate cheating, though you can get pretty close. The questions you need to ask when deciding on your approach are, how much do you tolerate your solutions interfering in the gameplay, and how much do you want to spend - both in terms of time and money - to do it?

The most secure games run their gameplay logic entirely server-side, and only accept inputs from the client (with the client running a simulation for the local player, so that inputs appear to be processed instantly). In that model, you're usually using some form of prediction to guesstimate the player in between updates, which are usually in the range of 6 times a second. Even in that model, you have to assume the player is cheating, though. So you still need to evaluate the inputs, to make sure they're possible (and reasonable). And even then, you'll want to track gameplay and monitor for use of bots by checking for people doing things that are technically possible, but unreasonable from the viewpoint of human reaction times and processing speeds - that's the part where you need to be careful, as there are some amazingly speedy players out there.

Less secure, but still more secure than just letting the client be authoritative, is using server-side logic to do checks on key values, as you mentioned (using Cloud Script). In that model, the min/max of what's reasonable for a score is the minimum you would do to check. After that, the question comes down to, what do you have on the server side that you can use to validate the player behavior? One thing would be inventory - anything the player can use. So part of your calculation of their max score may be a theoretical max based on having some boosts or bonus items. If so, build that into the check for max score - have the player make an "OnLogin" Cloud Script call at the beginning of play, so that you can record (in UserInternalData) what the player's inventory status is, and then you can check it whenever a score report is issued. You also know what the server timestamp was when they last reported a score, so you could check if the time elapsed since the previous report is long enough for them to have actually done what they say.

In all cases, some (or even all) of your cheat checking logic is going to be game-specific. And it's an ongoing process - identify cheating behaviors, test and tune your means of validly finding players doing those things, and add those checks into your model. And in some cases, blocking the cheaters isn't even the way to approach it. Instead, you can give them a separate play area - only let them into servers with each other, keep their scores in separate leaderboards, etc. That way, they can keep playing (and so, making in-game purchases, watching ads, etc.) without impacting your honest players.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.