Discussion - strategies to prevent cheating in tournaments...
We've recently had a new customer ask (via our support lines) for recommended techniques to prevent users for from cheating in tournaments.
Clarification - they are early on in development. They haven't experienced cheating yet; they are thinking ahead and planning their development.
Now of course brainCloud's built-in security helps to alleviate the chances of this. All API calls are encrypted with SSL, and secured using an appId and secret. There are also additional safeguards in the message format and protocol that protect against man-in-the-middle attacks.
That said, security is a many-layered thing (parfait!), and for utmost protection, there are additional steps that app developers can take to protect the integrity of their experiences.
This seems like a good topic for a blog post or knowledge base article - but first I thought I'd put it out to our new community here to gather feedback!
The items that immediately jumped out at us were:
Limit operations like JoinTournament and especially PostTournamentScore to cloud code only. This is a great first step - essentially takes away the ability to make these calls from the bare client api. You can see a script that enforces these restrictions here - https://getbraincloud.com/apidocs/cloud-code-central/handy-cloud-code-scripts/restrictclientcalls-script/
Check for cheating in your cloud code scripts - validate the score before posting from your PostTournamentScore() script. If all scores should be between 10K and 1M - it's a simple matter to reject calls that try to post a score of 5M! We know of tons of customers adding these checks once cheating emerges in their apps. Heck - you can even use pre-hooks (https://getbraincloud.com/apidocs/apiref/#cc-ccscripts-apihooks) to do so without updating your client!
Make the parameters to your Post Tournament Score scripts as robust and complete as possible. i.e. if you just provide the "score" to post, you can't it's hard to prevent cheating other than by applying a min or max score test. But if you provide additional information, like level #, # of enemies hit, max multiplier, etc - you may be able to be more sophisticated in rejecting impossible scores.
Tag Cheaters - you might consider using a user statistic or an attribute (https://getbraincloud.com/apidocs/apiref/#capi-playerstate-updateattributes) to record whether a player is a cheater. i.e. if they send in one bad score, mark them as a cheater forever (or for a set period of time). You could then pro-actively reject any scores from known cheaters... Adding a "cheater" attribute to players is very common for brainCloud apps... (Spoiler: so much so that we're likely to support the concept directly in the future!)
Anyway, those are the immediate thoughts that pop into mind.
What say your brainCloudians? Agree / disagree? Other ideas?
Using a Pre-Hook, to the Post Score Cloud Code Script, to validate incoming data. Doing the actual JoinTournament / PostTournament Score via Cloud Code Script, once again verifying data. Lastly, validating the results of the Cloud Code Script via Post-Hook, allows developer's to confirm that the incoming data results in the expected outgoing data.
If at any point validation fails, tag the user as a Cheater! If users are going through enough trouble to try and cheat, they must enjoy the apps experience. Instead of blocking the Cheater from using the app, ensure all Cheaters are playing against each other, via a Cheater leaderboards or any other means. This way the apps experience to Cheaters is unchanged, and only cheating against cheaters, but most importantly the rest of the user base does not get negatively impacted via a few rare users.
Any other ideas? Interesting Applications for Cheaters?