Avoid Leaderboard Hacking on Game Center

Asked 13/4, 2011 at 0:18 Answered 10/6, 2015 at 22:36

Solved objective-c app-store-connect game-center

Has anyone found a way to avoid leaderbaord hacking on Game Center or at least make it more complicated?

You can see a video of HackCenter, a Cydia app that lets you submit any score you want here: Hack Center

Even though that application is not supposed to be available on the Cydia Store we've all seen scores that are obviously fake on several games on the AppStore. Unlike the score submitted on that video, the fake scores are usually ridiculously high and they discourage other players, since they can never reach the top of the leaderboard.

I haven't been able to find out how the hack is accomplished (I presume they intersect the http call and just replace the score parameter with whatever they want?).

Any insight is appreciated.

Restorative answered 13/4, 2011 at 0:18 Comment(1)

Since the score submission is coming from the untrusted client, it is pretty much an Honor System. It can be extremely difficult to catch cheaters, and in the end, it's all just for fun. One possible mechanism would be to record the entire gameplay's events / actions, and play them back on an emulator, but even then someone could fake up a 'perfect gameplay' log with enough effort. – Dealfish 13/4, 2011 at 0:23

The problem stems from allowing users to generate their own score data device-side. This would be a lot harder if all the score related calculations were done server-side and then posted to the score-board (I don't know how your app works, so I can't recommend a specific technique).

I think the BEST thing you can do is record data about HOW they got the really high score for review later by you. That may be impossible depending on your game's structure. It also might be forge-able depending on your games structure. For example, some game scores are impossible to get in-game just due to the physics on how the game works. This in my opinion is your best defense against it. Sadly, that requires monitoring it all the time....

Also, even if you can verify fake scores, someone could continually forge fake scores all day long and you'll never be able to keep up with it. Someones score submission bot will win in the end. It's not human, you are. It can post fake scores all day, you can't watch for fake ones all day, you can't verify 1000s of fake submissions. Trying to verify anything that is generated user-side (such as device ID, app being installed, etc...) is pointless. It can be forged. IP addresses are meaningless too. Your app is a on a mobile platform that can get a brand new IP all they want from the cell company. Tracking single legit real users is very hard if someone wants to hide from you because of this.

Maybe you can have some kind of app purchase verification with the help of Apple too. That would make it easier for you to ban offenders. They would have to pay you to forge your leaderboard, lol.

That's just my 2 cents, I hope it helps.

Tabasco answered 13/4, 2011 at 1:10 Comment(6)

Thanks for the answer, but I'm working on Game Center and as far as I know I can not delete a score after it was submitted to the leaderboard. – Restorative 13/4, 2011 at 14:49

I found this on SO. The first comment says it's possible according to page 3 on his link. I can't read it as I don't have an account. #3962426 – Tabasco 13/4, 2011 at 17:8

Thanks, that definitely helps. – Restorative 13/4, 2011 at 19:15

Many modern games have made cheating virtually impossible, while not requiring human monitoring: see, for example, StarCraft 2. – Parvis 30/9, 2011 at 10:14

The server must always win (be authoritative). On goods, currency and xp transactions (buy, sell, gift), definitely record 0) the delta, 1) the total and 2) a hash of the current game state. This allows "double-ledger" bookkeeping to detect inconsistency (server crashes, etc.) and attempted cheating. – Intake 28/1, 2013 at 14:16

@EliBud: You can now view and manage the top 100 scores and usernames for all of your Game Center leaderboards. See: https://mcmap.net/q/732639/-is-there-a-way-to-delete-scores-in-apple-39-s-game-center-programmatically – Annmarie 7/11, 2013 at 18:17

Because they're doing a http intercept, there's unfortunately nothing you can do. I've even found setting the max score for the leaderboard in itunes connect has no effect.

A game I worked on never serilaised the score to disk - so it couldn't have been changed there - and set max score to 30m. Yet the leaderboard was full with IntMax scores within hours of launching.

Hopefully Apple will have some fixes coming in WDC13 because as it stands, the worldwide leaderboards are useless.

Metzgar answered 2/5, 2013 at 7:36 Comment(2)

Sad, this seems to still be an issue. – Ked 24/10, 2014 at 17:37

apparently gamecenter subs are now sent over https, making man-in-the-middle impossible. they also provide better admin tools on itunes connect too. however you still have to encrypt your saves and guard against memory poke attacks. – Metzgar 27/10, 2014 at 17:14

You could try checking if the user has that thing installed I guess and then disable them from entering a high score if it they have the app.

I personally would just check for Cydia:

[[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://"]]

I am not sure what the url for Hack Center is exactly but, maybe you could try guessing it a couple times. I would guess 'cydia://hack_center' or something like that. And then once you find the url replace it 'cydia://' with it.

Leaflet answered 13/4, 2011 at 0:53 Comment(7)

Thanks for the idea, but that really doesn't work from me, since there are a lot of people out there with Cydia installed that buy at least some apps on the AppStore. On top of that I am not certain at all the fake scores I see on some games were submitted with Hack Center. – Restorative 13/4, 2011 at 14:47

This is an argument based on a fallacy, i.e., I have Cydia installed, does that make me automatically a cheater? It's also flawed in the same way that antivirus software detects only malware identified in the past, not securing the app for now and the future. – Intake 28/1, 2013 at 14:18

I think it's perfectly fine to give the finger to someone who has Cydia. – Pennsylvania 25/7, 2013 at 0:46

The problem with this approach is that you are checking for Cydia.... on the device-side. If you can fake scores, you don't need to check if Cydia exists from your bogus application. – Hin 25/4, 2014 at 11:44

@RLH: I am sorry I don't exactly understand your comment. But, yes, this methodology does have its downsides, although each of the solutions here have downsides, this is simply just one course of action you could take to help mitigate cheating. – Leaflet 25/4, 2014 at 16:29

The problem is that if the user has a tool to scrape your app for pertinent details and then post a score to the leaderboard, no call to check for Cydia is going to stop them. To be fair, I don't know how cheaters cheat, but I imagine that tools probably exist that allow for hackers to scrape information from iOS apps and send the necessary HTTP requests to impersonate a legitimate gamer. If they are sending scores from another application, then this has no affect. – Hin 26/4, 2014 at 3:10

@RLH: I believe there's this: #3962426 to prevent that. – Leaflet 26/4, 2014 at 3:23

Have two hi score tables:those with cydia, those without :P

Warrin answered 16/7, 2013 at 12:31 Comment(0)

You can also set up your own server and use proper authentication and encrypted channels to upload score and then just compare whats in your server vs whats in GameCenter... You still need to clean up the leaderboard, but at least you will know what to remediate and which users to put on blacklist.

Raggedy answered 10/6, 2015 at 22:36 Comment(0)

Recommended topics

Hot tags