question

ignoma avatar image
ignoma asked

Can I restrict client from defining new analytics?

Hi! I'm making a game where I want the player / client to be able to update analytics directly by using UpdatePlayerStatistics(). I have enabled Settings > API > "Allow client to post player statistics".

The problem is that if someone hacks the Title ID from the source and decides to update tons of different analytics with variable names I haven't defined as a developer, it fills the limited amount of leaderboards / analytics I can have.

In addition there is no way to delete statistics / leadersboards (a thing you have promised to implement for years).

I hope I am overlooking something, but this looks like a huge security threat because it can make a game practically unusable if someone decides to fill all your analytics slots and there is nothing you can do.

Am I overlooking something / is there any way I can avoid this threat?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
pfnathan avatar image
pfnathan answered

Our suggestion is not to use "Allow a client to post player statistics" if there are important enough statistics that should not be modified by the player, this might lead players to cheat. You could use things like server-side calls to cloudscript or playstream triggers.

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

ignoma avatar image ignoma commented ·

I really don't have a problem if someone cheats, I'm going to use only friend leaderboards anyway.

The problem I was tryind to address is that the client can define new analytic variables that I have no plan to use. So someone could flood my game with useless analycs / leadersboards which is problematic because I have only limited amount of leaderboard I can have in my game.

For example, a hacked client could update statistics "UselessStat1", "UselessStat2", ..... ,"UselessStat16" without my permission and all my 16 leaderboard would already be full and I would not be able define new statistics.

0 Likes 0 ·
brendan avatar image brendan ignoma commented ·

Sorry, but by turning on the option to allow the client to update statistics, that specifically gives the client the ability to do this. We would recommend turning off that option, and moving your statistic updated to a Cloud Script driven operation.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.