I realize this is partially outside the scope of PlayFab. However, I feel this topic is fairly relevant to a lot of developers here and I also feel this issue deserves to be discussed a lot more. The documentation is also pretty vague about this as well.
So without further ado, let me just jump right in. My understanding is that it is advised by the PlayFab developers to post scores via Cloud Script rather than letting the client use UpdatePlayerStatistics themselves, so that you can check things like:
1) Min/Max score
2) Time since the last score was posted
Ok, for the purpose of this discussion, let's say I have a very simple casual mobile game (like one of the many endless runners) and my goal is to reduce the likelihood of cheating on the leaderboards. If we follow the logic that anything sent by the client can't be trusted, then my question is: what other tools do we have available to check to make sure each score posted is valid?
For example, I could send the length of the player's last run along with their score, and check to make sure it is within a certain threshold in Cloud Script - but that is useless, because ultimately it's coming from the client which means that data could be compromised as well. So I'm wondering what other checks would be completely server-authoritative other than the two listed above.