Skip to main content

Is creating a leaderboard web API that can't be fudged possible? [Resolved]

Let's say you have a game, and players of your game can get scores. You also want to be able to post these scores to a server using calls to a web API. Obviously, you want to be able to tell who sent the request; you only want to trust calls to this web API that came from your application.

If I understand correctly, this post means that it's impossible to verify that your application initiated this request rather than someone just fudging the request. Is this the case?

If so, how do applications in the real world handle leaderboards?

I considered posting this in the Game Development Stack Exchange, but I figured this question probably has applications beyond leaderboards.


Question Credit: NetherGranite
Question Reference
Asked June 12, 2019
Posted Under: Programming
9 views
2 Answers

Such secure leaderboards are possible only under very limited circumstances:

  • you have complete control over the client hardware and can use Trusted Computing techniques to attest that the score was earned correctly; or
  • the authoritative game state is stored on your servers and not on the client; or
  • the score is structured using such (mathematical) techniques that the score can be verified independently

These are infeasible for most games.

Note that some DRM approaches use Trusted Computing techniques, that internet-connected gaming makes it easier to detect cheating, and that blockchains are an example of independently verifiable data structures.

Instead of creating the perfect system, most leaderboards will just try to make cheating sufficiently difficult. For example, embedding API keys into the application is not a secure access control mechanism – but it is a small hurdle that might discourage some cheaters. Other DRM techniques try to ensure the integrity of the running software. But even if your game ran on your own servers and was therefore immune to manipulation, there's the issue as to whether the user input is generated by a human or e.g. an aimbot. Here, statistical techniques for anomaly detection might help. Recording a replayable event stream of the game doesn't prevent cheating, but makes it possible to investigate possible fraud.

The question for you is: how important is this leaderboard? Do you need to support offline play? What platforms are you targeting? There's a lot you can do to make cheating difficult, it just may not be worth the effort.


credit: amon
Answered June 12, 2019

Correct, you cannot trust remote systems at all. Whatever method you use to validate that remote calls are made only under specific conditions, an attacker can always analyze the means you've used and use them to forge their own calls. This is true even when you release your game without sources - machine code is also a programming language, and for the sort of people who like to forge remote calls, it's almost as legible as source code. In the real world, people handle this by game leaderboards not being that important an asset to begin with.


credit: Kilian Foth
Answered June 12, 2019
Your Answer