How do I prevent hackers from hacking webstorage value?

Get help using Construct 2

Post » Wed May 06, 2015 9:54 pm

mindfaQ wrote:If your game is mostly single player and not super popular, I would not worry too much about a small percentage of potential "hackers".

o data on a PC connected to the internet is safe per se.


@mindfaq I believe there's gonna be quite alot of people playing it when I get it up on the App Store. Just being optimist here if you don't mind. :D

Anyway I read the tutorial provided by @kyatric, and downloaded the MD5 Plugin that was made by him



Image

Basically this is what I did. The "TotalBones" "Goldcoins" and "ShieldSinglePlayer" are some of the currencies in the game, am I doing it right?

P/S: I don't know any programming language and I'm still new to construct 2, been only using it for about a month and a half now. Pardon me for begging your help :D
https://itunes.apple.com/us/app/id1004254105

We bet anyone a hundred dollars if they can reach the bone on the other side of the screen! (Only on the Impossible Mode)
B
10
S
2
Posts: 122
Reputation: 1,004

Post » Thu May 07, 2015 5:44 pm

ondraayyy wrote:@gumshoe2029 thats a good idea, but my question is, is there a way I can do that in construct 2?


No, sadly. Nothing on the browser is ever safe. Anyone using Chrome Developer Tools or Firebug-like tools will be able to tweak any of your JavaScript source/variables at will. You have to store data on a server to be truly secure.

mindfaQ wrote:
As far as actual data protection, anything on the server is safe.

No data on a PC connected to the internet is safe per se.


Well, yes, but for most people, they are adequately low priority targets to call the server "safe". You can use proxying, firewalls, and intrusion detection systems to deter attackers also. All of our game servers are not connected to the internet directly; they go through a firewalled/IPS gateway server first who proxies all requests back.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Thu May 07, 2015 5:51 pm

ondraayyy wrote:Basically this is what I did. The "TotalBones" "Goldcoins" and "ShieldSinglePlayer" are some of the currencies in the game, am I doing it right?

P/S: I don't know any programming language and I'm still new to construct 2, been only using it for about a month and a half now. Pardon me for begging your help :D


You do know that hashes are one-way, right? You cannot retrieve the original data from those hashes without using a GPU-enabled computer to crack the hashes.

But regardless, the user can simply pull the variable out before you hash it.

There is no way to protect things on the browser.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Thu May 07, 2015 6:20 pm

@gumshoe2029 Erm my game will not be on the browser, it will be on the App Store. Will it be safe if its for the iOS Devices?
https://itunes.apple.com/us/app/id1004254105

We bet anyone a hundred dollars if they can reach the bone on the other side of the screen! (Only on the Impossible Mode)
B
10
S
2
Posts: 122
Reputation: 1,004

Post » Fri May 08, 2015 8:10 pm

ondraayyy wrote:@gumshoe2029 Erm my game will not be on the browser, it will be on the App Store. Will it be safe if its for the iOS Devices?


No, even there it is not safe. Apple has "Web Inspector Tools" for their Safari browser, which will give you all of the same powers as any other browser developer tools.
https://developer.apple.com/safari/tools/
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Fri May 08, 2015 8:20 pm

If you want to setup a server, you can use Amazon Web Services. They have a server set that you can get for free for one year (even the non-free version for a t2.micro server is only 9.72 USD / month).

http://docs.aws.amazon.com/AWSEC2/lates ... n-ec2.html
http://docs.aws.amazon.com/AWSEC2/lates ... -LAMP.html
http://aws.amazon.com/ec2/pricing/#

You could setup a LAMP stack (Linux Apache MySQL and PHP) or you can use PostgreSQL, Oracle, or Cassandra instead of MySQL, and you can use Java servlets (running on Apache Tomcat) or Python in place of PHP.

Then you can use AJAX calls to retrieve data from the server.

We use AWS for our server sets, and we have been extremely happy with them thus far. Their billing people are a little overzealous, but you can work around that.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Thu Jul 28, 2016 8:03 am

Message: stephanic can only post plain text URLS until they have 500 rep. 1 URLS modified. Why?
HI,
If you want to prevent hackers from hacking any of your personal data or webstorage value then you have make your computer completely secure. Without security, your data and your computer is not safe in any way. So to make your PC secure from hackers, go through the below mentioned link which can help you to secure your computer and your web browsers.
http://removepcthreats.wix.com/securewebbrowser
B
2
Posts: 1
Reputation: 152

Post » Thu Jul 28, 2016 9:31 am

I'd agree in a way with @newt and @mindfaQ. You shouldn't worry too much about hackers. I'm not saying you shouldn't secure your app at all, but just don't freak out. If you want to secure it completely, this will be a neverending fight as they will find a new way for your new securities all the time. If you both (hacker and you) get stubborn enough this will be a ping-pong game between you both.

So I suggest to secure it from the noobies-hackers and kids with some cracking soft and that's it. They are the majority of problems. Real hackers which dive into your code and search the way to bypass your security are really minority. And well if they struggled to do it... take it as a complement, it means your game was worth a hassle.

From my experience, the noobies-hackers are less than 0.5% of your game users. In my case it was 0.2%. The real hackers are far less part of your game community.

Now keep in mind that most of the noobies-hackers have no idea about anything related to development. Someone showed them a tool and they simply use it. So if you want to get rid of kids who make direct changes in your storage, simply encrypt the data - this step should already discourage most of kids.
For data encryption you have to use some two way hashing algorythm like Base64. So you could encrypt and decrypt data. Also don't bother to encrypt/decrypt all the values separately. You can use one LocalStorage key "gameData" and save there encrypted Dictionary JSON which you can then load and decrypt on game start. In that way "hacker" will see only one local storage entry containing some mystery hash and you will have your data loaded in RAM memory.

You can go a bit further and give some salt to the encryption process in case there is one smarter kid who heared of Base64.

Much more secure would be to have all data on your server in some database and sync this data each time user spend resources. But this is pretty complex to do for someone who is not experienced in PHP/MySQL or any other backend technology as you have to secure your data transfer as well. If you have time, then go learn it, backend technology is very useful and fun, if not then encrypting storage should do the job for kid-ackers.
ImageImage
B
27
S
16
G
67
Posts: 931
Reputation: 38,066

Post » Thu Jul 28, 2016 2:06 pm

If you hardcode an encryption key in your C2 apk, they just have to look into your source with apk http://www.javadecompilers.com/apk and they can find it and decrypt anything you encrypted
B
42
S
17
G
17
Posts: 2,247
Reputation: 17,461

Post » Thu Jul 28, 2016 2:11 pm

About MD5 encryption, you should just read a little bit about rainbow tables, basically, they have a table with millions of different hashes and they just take your hash and compare it to them via fast hardware and BOOM, they can decode anything you have, also they can insert hashes into those addresses using anything like Cheat Engine, and do absolutely what they want with your currency if the game is only offline, but if your game is online with a webserver, they can't play with these values so you are generally safe, they'd have to find a way to access that server, but that's ANOTHER story. (That would be like getting hacked by the Illuminati, but they don't do mobile games)
B
42
S
17
G
17
Posts: 2,247
Reputation: 17,461

PreviousNext

Return to How do I....?

Who is online

Users browsing this forum: Magistross, tarek2 and 2 guests