Hi,
I can't speak on behalf of of hutong Games as far as encrypting variables, but here's my take on this:
You will want users to play first and get to know your game, then you'll have a nice problem to have when you will have investors reaching you saying they want your game on steam or else, promote you, if you can guarantee some adequate precaution for anti cheating.
Are you able to cheat yourself using a tool likely used by cheaters? if the answer is no, then you can rest assure that 99.99% of your players will be in the same case... If the answer is yes, could you pm me and explain me how you do it, I would be very interested indeed and will take this seriously in consideration, forwarding to Hutong games this finding.
If you are worried about certain regions in the world to be renown as hacking more than others, are they really reflecting your player target? I mean if you fear that chinese will cheat your games, think of the benefits of the stats! make a per country score boards so that extrem scores won' affect other countries and aou are good.
you can also monderate the score board manually, like we moderate this forum against attacks, I must delete a spam post once every 2 month maximum... better, more manageable and cheaper than requesting a encrypted forum, because if you look at ALL forums, they are getting the odd attack anyway...
Again, this is my personal opinion
I worked on highly sensitive games: bet games playing for real money. And I can tell you that the security is never effective on the running client, it has to be on the server!!, ALL sensitive data must be hosted on the server, and the costs and development procedure and Quality assurance restrictions and validation for effectivly preventing cheating is scary large, larger than the cost of pur developing of the game play, multiple times higher... in short it's a nightmare and 90% of the times kills the project before it launches... only higly specialized companies with almost unlimited/dedicated resources can claim building games that can't be cheated ( meaning 99% sure they can't be hacked...). Look just at what it takes if you want to use Unity for bet games... you won't even get Unity to provide unless you sign an agreement that you won't sue them ( it's not really about guarantees that you won't be cheated, but more that you won't sue them if it happens...). Correct me if I wrong here.
now onto solutions
-- You can easily implement obfuscation technics wich is already pretty effective in itself, don't label your variables with obvious names. I personally never do that, but that's effective... dont' name the variables "Score" for example...
-- Use moderation systems and validators on your server, by knowing your game very well and preventing absurd results coming from the client, say, if your user is cimpleting a level in less than 20 secs when you know that you can only finish it realisticly in 2 min, then invalidate the score or call. This is VERY effective as well.
-- use https, that goes without saying, but will also prevent even more spread accessible cheating for hackers not going inside your code to cheat.
Searching a bit online, I found a nice technic that will make it hard to counter.
http://answers.unity3d.com/questions/212252/anti-cheat-system-for-unity3d.html if you have two variables for each data, then you can always compare both in the game loop, if one changes but not the other, then you quit the game, and when your code is actually updating for real that data, update both in the same state, and that will pass. So now you'll have exposed variables yes, but your hacker will have to know that you are duplicating and checking them.
FsmInt "score"
FsmInt "DeltaMecanim" ( make a name that is totally in the opposite spectrum of what a score could need
you could argue that if he's looking at the live log of activity he will spot the two variables being updated at the same time. Implemented a timer for example or a 4 frame delay or something, and you send the score to the server only after that delay, or do a mathematical operation, like multiply by 2,
and work with both. your hacker will have a VERY tuff time reading the fsm logic. make your two duplicated variable different scope, one global one local, maybe with a different type, save it into a vector 3 as a z component, etc etc.
I found also an article on hacking Unity, and it goes in the same kind of direction, have it as much as you can on the server side:
https://www.hackthis.co.uk/articles/game-hacking-chapter-1-unity3d-attack-by-reverse-engineering BEARING in mind that PlayMaker will act as a pretty tuff obfuscator in itself to know what's going on and where data is hosted and its meaning. PlayMaker doesn't create c# files, it's all burried in the PlayMaker internal code. So it's likely that your hacker will have to know pretty well PlayMaker before getting anywhere near your data and if you used obfuscation, it won't mean anything...
in short, first get your game to be played, then worry about cheaters when you'll get proof that indeed you have cheaters and that your game has a dynamic that is worse investing into making it cheat proof ( which will be a challenge, even without PlayMaker).
Bye,
Jean
