I am developing a small game (in Java) for a coursework and the extension I have decided to do is an online score board. As I thought might happen, a few people on my course have figured out how to hack the score board and submit their own scores.
I know there are a few problems in the current way of submitting scores, but here it is. The game generates a score, then does an HTTP GET on a URL with the options of the players ID, the score and a password.
I might changing this to be a POST as it might be more difficult to get the data for the password. Also, I am considering making it run over HTTPS (although I don’t know if this is more difficult in Java). Unfortunately, this doesn’t stop the main way that people found the password which was by decompiling the Java code.
I don’t know the best way to prevent the hacking. I don’t mind too much really, its not that important, but it would be nice to secure it so when the code is marked it doesn’t have a load of spam on it.
What would be your suggestions on ways to obfuscate the code and/or secure the whole process?
What one can do is changing from anonymous to user based tracking. This does not prevent faking, but makes it more trackable.
The basic protocol could be that a score board change is signed or encrypted using a session key. The session key is created upon logon of the player itself. Here you can work using an appropriate authentication system.
Now at least you know from which account a change has been made and can blame your student…