Avoid Leaderboard Hacking on Game Center

15
votes

Has anyone found a way to avoid leaderbaord hacking on Game Center or at least make it more complicated?

You can see a video of HackCenter, a Cydia app that lets you submit any score you want here: Hack Center

Even though that application is not supposed to be available on the Cydia Store we've all seen scores that are obviously fake on several games on the AppStore. Unlike the score submitted on that video, the fake scores are usually ridiculously high and they discourage other players, since they can never reach the top of the leaderboard.

I haven't been able to find out how the hack is accomplished (I presume they intersect the http call and just replace the score parameter with whatever they want?).

Any insight is appreciated.

5
objective-capp-store-connectgame-center
Since the score submission is coming from the untrusted client, it is pretty much an Honor System. It can be extremely difficult to catch cheaters, and in the end, it's all just for fun. One possible mechanism would be to record the entire gameplay's events / actions, and play them back on an emulator, but even then someone could fake up a 'perfect gameplay' log with enough effort.sarnold

5 Answers

8
votes

The problem stems from allowing users to generate their own score data device-side. This would be a lot harder if all the score related calculations were done server-side and then posted to the score-board (I don't know how your app works, so I can't recommend a specific technique).

I think the BEST thing you can do is record data about HOW they got the really high score for review later by you. That may be impossible depending on your game's structure. It also might be forge-able depending on your games structure. For example, some game scores are impossible to get in-game just due to the physics on how the game works. This in my opinion is your best defense against it. Sadly, that requires monitoring it all the time....

Also, even if you can verify fake scores, someone could continually forge fake scores all day long and you'll never be able to keep up with it. Someones score submission bot will win in the end. It's not human, you are. It can post fake scores all day, you can't watch for fake ones all day, you can't verify 1000s of fake submissions. Trying to verify anything that is generated user-side (such as device ID, app being installed, etc...) is pointless. It can be forged. IP addresses are meaningless too. Your app is a on a mobile platform that can get a brand new IP all they want from the cell company. Tracking single legit real users is very hard if someone wants to hide from you because of this.

Maybe you can have some kind of app purchase verification with the help of Apple too. That would make it easier for you to ban offenders. They would have to pay you to forge your leaderboard, lol.

That's just my 2 cents, I hope it helps.

3
votes

Because they're doing a http intercept, there's unfortunately nothing you can do. I've even found setting the max score for the leaderboard in itunes connect has no effect.

A game I worked on never serilaised the score to disk - so it couldn't have been changed there - and set max score to 30m. Yet the leaderboard was full with IntMax scores within hours of launching.

Hopefully Apple will have some fixes coming in WDC13 because as it stands, the worldwide leaderboards are useless.

2
votes

You could try checking if the user has that thing installed I guess and then disable them from entering a high score if it they have the app.

I personally would just check for Cydia:

[[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://"]]

I am not sure what the url for Hack Center is exactly but, maybe you could try guessing it a couple times. I would guess 'cydia://hack_center' or something like that. And then once you find the url replace it 'cydia://' with it.

2
votes

Have two hi score tables:those with cydia, those without :P

0
votes

You can also set up your own server and use proper authentication and encrypted channels to upload score and then just compare whats in your server vs whats in GameCenter... You still need to clean up the leaderboard, but at least you will know what to remediate and which users to put on blacklist.