How Secure is the Server Side High Scores script?

Hello everyone,

The script i am talking about is the well known sever side high score script on the unity wiki
http://wiki.unity3d.com/index.php?title=Server_Side_Highscores

I am using the script for an android game but I am worried about people being able to decompile the script and be able to see the “private key”. Is this a legit worry? How do other companies do it?

Thank you.

People can decompile the game and read the key, indeed. And that’s not a big deal at all.
Once the key is known, one can send any name and score plus the known key, hashed with the exact algorithm which is used in your script, as if you didn’t have a “secrect key” at all.
The server would never recognize that unless you implemented more logic to attempt filtering wrong submits, e.g. extreme scores etc.

The thing is, everything that is done on the client side can be manipulated. The only thing you can do is try to implement certain barriers in order to stop people from trying to cheat. But that’s usually not easy and often not worth it. Companies have invested much money and a lot of time to find solutions, in the end, as you may know, almost everything that needs to be bullet proof has some kind of connection to a server which handles critical portions of the applications logic.

You can implement an asymmetric encryption algorithm and key exchange style solution.

Where the server keeps a permanent keypair, and the client also generates a personal keypair.

Then you use the keypairs to implement a Diffie-Hellman key exchange and use that exchange to authenticate a symmetric key for most of the communications. (Symmetric is less overhead than asymmetric)

But this is only hardening, and will not stop a truly determined hacker from getting what they want… But if your server handles and authenticates the scoreboard updates as best it can, you can hide the secure stuff behind an API.