question

Best Answer
Brendan Vanous said on Wed, 17 June 2015 at 6:42 PM

Hi Justin,

Absolutely correct - Cloud Script is the way to go. If you allow the client to set statistics or currency, you're making the client authoritative over that data, meaning that a technically sophisticated person could send whatever data they want to.

With Cloud Script, a user could send whatever data they wanted to, sure, but you then have the ability to do any evaluation on that data you need to, in order to determine its validity. This will be unique logic from title to title, but some common questions to ask yourself when putting that together are (and replace "score" with whatever measure you're receiving from the client):

How much time has passed since the last time this user reported a score? Could they have actually completed what they would need to, in order to report a new score in that time? You can get the time from the server and compare that to the timestamp from the last call - which is automatically there for User Data and Statistics, but you could also write your own in User Data, if needed.

Is the score valid for the given game context? Is it higher (or lower) than should be possible for the given game mode/level/etc.?

And this would be for games where 100% of the game logic is in the client. If you have any decision-making which takes place in Cloud Script (or your own custom game server), you have the opportunity to simply bypass the info from the client and report it yourself in server-authoritative logic.

One other thing you can consider is tracking a "trust" score for users, as well. If people see that their scores are rejected when they submit a wildly out-of-reasonable-range score, they might try tuning their cheat logic to find the "sweet spot" where their report clears your checks. If you're tracking on the number of times a user fails that check, that's another valuable addition to your arsenal. While you'll want to be very careful about being sure of your cheat evaluation (don't punish your best players), having a way to identify folks who cheat and potentially shuffle them into a separate experience which doesn't impact the rest of your players (separate leaderboards, game modes, etc.) could be a good move.

Brendan

---

1 Comment
Brendan Vanous said on Wed, 17 June 2015 at 6:42 PM

Hi Justin,

Absolutely correct - Cloud Script is the way to go. If you allow the client to set statistics or currency, you're making the client authoritative over that data, meaning that a technically sophisticated person could send whatever data they want to.

With Cloud Script, a user could send whatever data they wanted to, sure, but you then have the ability to do any evaluation on that data you need to, in order to determine its validity. This will be unique logic from title to title, but some common questions to ask yourself when putting that together are (and replace "score" with whatever measure you're receiving from the client):

How much time has passed since the last time this user reported a score? Could they have actually completed what they would need to, in order to report a new score in that time? You can get the time from the server and compare that to the timestamp from the last call - which is automatically there for User Data and Statistics, but you could also write your own in User Data, if needed.

Is the score valid for the given game context? Is it higher (or lower) than should be possible for the given game mode/level/etc.?

And this would be for games where 100% of the game logic is in the client. If you have any decision-making which takes place in Cloud Script (or your own custom game server), you have the opportunity to simply bypass the info from the client and report it yourself in server-authoritative logic.

One other thing you can consider is tracking a "trust" score for users, as well. If people see that their scores are rejected when they submit a wildly out-of-reasonable-range score, they might try tuning their cheat logic to find the "sweet spot" where their report clears your checks. If you're tracking on the number of times a user fails that check, that's another valuable addition to your arsenal. While you'll want to be very careful about being sure of your cheat evaluation (don't punish your best players), having a way to identify folks who cheat and potentially shuffle them into a separate experience which doesn't impact the rest of your players (separate leaderboards, game modes, etc.) could be a good move.

Brendan