Fancy stuff about my technical life
What this all about is....Flash Games
posted by cimnine @ 11:35am, Thursday 3 December 2009.
I don't know why, but a lot of flash games are very poor designed in many aspects.I'll explain some common mistakes in an example:
Kitag, a Swiss cinema group, put up a Christmas game this year, developed (at least hosted) by a company called netvision. Kitag raffles prices totally 3'120 CHF worth. (That's currently about the same in USD).
The game's a very classic jump-and-run game in Mario manner: Santa has to collect some items and get to the end of the level. The more items he collect, and the faster you'll get through the level, the more points you'll get. It's possible to invite friends to the game. Each of your friends gets an email with a one-time-link to register. For every registered friend you'll get another 500 points.
The design of the game is poor in several aspects:
- Data Transmission: All data gets submitted without any encryption. Usernames, Passwords, Email-addresses; just everything. And we all know how lazy normal users are: Same username, password and mail for everything. Plus: This would stop less advanced people from exploring the underline protocol of the game.
- Data Integrity: There is no check if the data sent by the client could be faked or not. The score made in each game is submitted as POST parameter (like points=42) without any validation, like a checksum. It's very easy to fake such a request plus it is very easy to set a new, just slightly higher, score like this. There are no time limits for submission (which should be at least the absolute minimal time it takes to get through the game). As I already mentioned, there's no checksum, which would, even if its algorythm was hardcoded, force a person to disassemble the swf file. But this way is clearly against the defined rules and could en up in instant exclusion.
- Invitations: This more a fail-by-decision, as a fail-by-design. It would be an effort of some hours to write a script getting mails from a mail server and register on the link given in the mail. (Where we have the same problem with the full accessible protocol again.) This could get me lots of points a day - and is not clearly against the rules.
But it's at least the second game I examined and it was very easy to trick a better score. (I'm talking about speedfingerzzz from the Swiss Post. It's design is a bit robuster, but not robust enough. It's running for the second year now - without any improvments and the same protocol.)
In my opinion, the only way to effectively secure a flash game is to verify each action a user does on a server. The best way would be to do every calculation on the server, but this isn't that fast if you have lots of users, or if you have users with slow internet connections. The other way I'd propose it to log every action in the client, send it for evaluation to the server, and send the points made back to the client. The important part is: The server calculates how many points the user made, not the client!
~Chris
Comments
Ehhh kann es sein, dass der Highscore bei Kitag bugged ist ? Neue User bekommen keine Punktzahl / Rang mehr :S
Nexus - 1:44am, Tuesday 22 December 2009.
Submit Your Comment
You are not logged in.