I’m writing a simple online multiplayer game. It involves sending a few http requests (I don’t mind using any other protcool though) to my server to store stats about the game.
The problem is that the game is P2P and then the stats are sent to my server, so this makes it possible to cheat by sending fake stats. I realize it’s impossible to make it immune to cheating clients so what’s a good way to minimize the possibility of this happening? Negotiate unique secure keys between the server and clients to make sure the request is genuine?
I know that almost every proprietary protocol is reverse engineered sooner or later but I figured that if I make it slightly time consuming to generate the keys then the effort is not worth to cheat on a silly game.
Or is there a better way to do this?
It all depends on the type of stats. If each client can submit partial stats about other clients, and full stats for itself, you could write a server-side validation mechanism detecting discrepancies – this’d require coordinated efforts by multiple clients to get past.
When you design such a mechanism, you should work from the assumption that the cheater has full access to the source code of the client and the server – and make a mechanism that still can’t be bypassed by a single cheater. If the resulting mechanism isn’t usable (typically due to efficiency) you can start trading security for efficiency – but be aware of what your trade is, and which methods a cheater would be able to use. Attempt to log enough data that you can detect such cheats by non-realtime analysis of the logs, catching a cheater after the fact is the next best thing to catching him in the act.