I am developing a small game (in Java) for a coursework and the extension I have decided to do is an online score board. As I thought might happen, a few people on my course have figured out how to hack the score board and submit their own scores.
I know there are a few problems in the current way of submitting scores, but here it is. The game generates a score, then does an HTTP GET on a URL with the options of the players ID, the score and a password.
I might changing this to be a POST as it might be more difficult to get the data for the password. Also, I am considering making it run over HTTPS (although I don't know if this is more difficult in Java). Unfortunately, this doesn't stop the main way that people found the password which was by decompiling the Java code.
I don't know the best way to prevent the hacking. I don't mind too much really, its not that important, but it would be nice to secure it so when the code is marked it doesn't have a load of spam on it.
What would be your suggestions on ways to obfuscate the code 开发者_高级运维and/or secure the whole process?
Your approach simply doesn't work. When you need to secure something, you can't run it on the client.
Instead, the whole game must run on the server and users can only submit moves. That way, you can validate the moves (so players can't create illegal states) and calculate the correct score.
Everything else can always be hacked. If you don't encrypt the data, it can be hacked by using a network sniffer. If you use HTTPS, hackers can use a proxy to decode the data (man in the middle attack).
What one can do is changing from anonymous to user based tracking. This does not prevent faking, but makes it more trackable.
The basic protocol could be that a score board change is signed or encrypted using a session key. The session key is created upon logon of the player itself. Here you can work using an appropriate authentication system.
Now at least you know from which account a change has been made and can blame your student...
Obfuscation will not help you. It will just make it harder for the hackers, but certainly still possible.
In order to secure the whole process (at least to some degree), you should not have any game logic code on the client. The client should only send game commands to the server. After receiving the commands the server should check if the user can preform the given commands.
This way for example even if your colleagues send a command 'set jeff score 9999', the server would check if jeff has actually played a game that has given him 9999 points, if no, you could just show an error message on the client.
The general rule is: if something is on the client, the client can modify it. Most people conceder attempts to make it hard for the client to modify it futile, since it is only a matter of time before they do.
精彩评论