Forums » Help » How to secure scoreoid highscores from manipulation?

Hi there,

I'd like to implement a global highscore system in one of my games.
So I took a look at scoreoid and found it to be very useful.
Unfortunately I don't see a way to prevent a bad person to start an API call to the scoreoid_proxy.php via a simple javascript snippet. So it's basically possible for anyone to post any score they want.

Is there a best practice on how to prevent such unwanted highscore postings?
Or do you know an alternative score API?

Cheers,
Dirk

Hi with HTML5 there really isn't a full proof way, you can use the Scoreoid encryption option this should help.

Thats actually quite a difficult problem. You can obscure your code a bit on your side, but if the scoreoid API itself doesn't have any anti-cheat measures, there's little you can do.

If it helps, I generally found this to be a non-issue :) There are always people who want to cheat, and there's never a perfect protection. If it's not all too easy (and opening the browser's console is a huge hurdle for most people) there wont be that many attempts.

Quote from almog
Hi with HTML5 there really isn't a full proof way, you can use the Scoreoid encryption option this should help.

I already enabled the secure option in Scoreoid, the problem is, even with enabled encryption it is possible to simply modify the javascript variable that holds the score before it is even encrypted.

Quote from dominic
Thats actually quite a difficult problem. You can obscure your code a bit on your side, but if the scoreoid API itself doesn't have any anti-cheat measures, there's little you can do.

If it helps, I generally found this to be a non-issue :) There are always people who want to cheat, and there's never a perfect protection. If it's not all too easy (and opening the browser's console is a huge hurdle for most people) there wont be that many attempts.

Thanks for the reply! I think I'll go with the obscure method and hope that most people will be fair players. I was just wondering if there is a way to achieve such a protection, but I'm fine if it's simply impossible.

You can put certain things in a closure, so that they can't be reached from the outside:

(function(){
	// Score is a local var in this closure
	// It's only accessible from within
	var score = 0;
		
	window.increaseScore = function() {
		score++;
	};

	window.getScore = function() {
		return score;
	};
})();


increaseScore();
increaseScore();
getScore(); // 2

console.log(score); // undefined

This will make it a bit harder to cheat, but of course, still not impossible.

Quote from krix
I already enabled the secure option in Scoreoid, the problem is, even with enabled encryption it is possible to simply modify the javascript variable that holds the score before it is even encrypted.Thanks for the reply! I think I'll go with the obscure method and hope that most people will be fair players. I was just wondering if there is a way to achieve such a protection, but I'm fine if it's simply impossible.

Yes this is a problem with JS and HTML5 really no way to solve this when a user can just do "view source".

I did want to mention the Scoreoid Anti Cheat feature we're working on but it's not ready hopefully once we wrap up the next version we can add it. @dominic thanks for helping with the closure function.