How to stop mysql leaderboards being hacked ??

I'd like to open a discussion on how to stop or make it a lot harder for hackers to hack into leaderboards stored in a mysql database.

I currently do the normal md5 hash of the POST and send it to the server. I use a key stored in the unity game itself, so while it stops someone just POSTing to the server, it does nothing to prevent a hacker decompiling to find the key used. Does anyone have a more secure way to do this?

 

Have a read through this, having my leaderboard's mildly violated recently gave some insight..

http://forum.unity3d.com/threads/decompilation.282270/#post-1865107

End result? Didnt really worry about it, ive changed my scripts to include the hash against the scores so you cant fudge them now, but I only ever had the problem with one user, who lost interest after I removed half a dozen of his scores.. It was too much effort for him (he had to delete the game, re-install, post score).

 

Thanks, but your new hashing of the score won't deter them as I just found out. I cleared the database on my game last night, and this morning it's full of crap again. I hash it all too.

 

There is no complete prevention of hacking(except having them play the game on the server) but you can do a few things that will help.

One of the most basic things you can do, is to not discard incorrect scores, but to mark them as invalid and also mark the originating ip/player as a cheater. Then when loading the score list, send a leaderboard back with cheated scores to the cheaters, but send the correct leaderboard back to the non-cheater players. (Or even better, personalized scores where the cheater does see his own score, but not other cheated scores.) This alone will reduce the amount of (visible) cheats a lot.

Second is to add a bit more info that would allow you to detect cheats. E.g. add info about time, points gained over time, etc. Check these on the server side to see if they make sense. e.g. finishing a level in 5 seconds where the minimum time is at least 1 minute.

Also, check the rate of incoming high scores. If they submit multiple scores within a very short time, you know that they aren't playing the game.

Of course all of these can be circumvented by a determined hacker, but that is unavoidable. What you want is to reduce the amount of annoyance legit users will get from it. By not giving the hacker direct feedback that his hack didn't work, most of them will assume it worked and leave it. Some might notice and will continue hacking, but by making it slightly more difficult most will not bother.

 

Basically, have a Cheaterboard Leaderboard for cheaters? XP

 

If I had a game with a leaderboard and it was impossible to prevent hackers I think I'd just throw it out and post an article on the site and button for same content in the app. NO MORE LEADERBOARDS. Then simply state due to all of the hacking there are no longer leaderboards. I figure this would do 2 things. First if people stopped offering the leaderboards some of the idiots could see their actions due cause harm. They lost something they obviously liked. Second maybe enough people would say I only care about seeing myself and my friends scores anyway please put it back in.

And maybe that last option is a way of doing it a bit more securely. Having groups the leaderboards are for.

 

I do like the idea of a cheater Board! I shall add it on the next update

 

Depending on game it might be worthwhile to require user account to submit scores to leaderboard.

Then for a user account, you can collect IP's and (depending on platform) mac address of network cards for that player's account (if logging in from multiple devices), and block them (add to ban list) when you determine they're cheating. Look at bottom post here: http://forum.unity3d.com/threads/getting-mac-address-with-net.31999/

Are they posting the hacked high scores with 1 submit or is it an aggregate of scores?

 

Here are a couple ideas:
1) Post from the game to a web service, and then have the web service update the database. Do not connect directly from your game to MySQL. Since you mentioned posting, I assume you already did this.
2) Instead of storing a key single key in your game, set up a method for generating a new temporary key from the web service. Have keys expire after a couple minutes. Have a function in your game do something to the key to encode the key. Not just MD5. Use some other crypt function and use salt in the function. Build a table to track all of the keys that have been handed out, what IP got each one, and when each key should expire. This is all in case the cheaters are decompiling your code to find a key.
3) Use SSL for communicating between the game and the web service. This is in case the cheaters are using packet sniffing to figure out how to structure there score submission packets. SSL will thwart packet sniffing.
4) Record the IP address of each score submission. Build a blacklist table to keep track of the cheaters, and have your web service ignore submissions from the IPs you black list.

 

Recording the MAC address won't do any good if the game looks up that info on the client side, because the cheater could simply fake MAC addresses with each of the score submissions. IPs will work better in this case, because the web service can determine the IP from the server side.

 

Though you can accidentally ban several families by IP banning in case of shared networks that have just one external IP.

I'd go with fingerprinting. Phone model, Android version, etc. And in case of PC make of the motherboard and kind of CPU user have (things that don't change too often) plus preferences of the OS in use (desktop resolution, not in-game one, things like system colors, etc. - again only things that are unlikely to change often).

That, combined with IP and MAC will give you pretty accurate measure who's cheater. I'd also use Evercookie-like mechanism to create "cheater file" on the device that just won't go away.