What if we have a jar-file with our game in it, which connects to a Java-server, uses a method on that Java-server to grab some DB-information, and uses it in the application. Would that be prone to attacks? Would reverse-engineering the jar leave the IP of my Java-server open for all to see? Would my database be susceptible to attacks through this way of retrieving data from my DB?
It’s easy, but that’s not enough. You have to be willing to invest the time to hack a site.
And who’d care that JGO would be hacked? Hackers typically try to hack (reasonably) high profile sites.
You don’t even need to reverse engineer anything. You can simply monitor the network (with Wireshark) and you’ll see the IPs and packets scrolling by.
You always have to assume the client is hacked, so never let the client do anything you haven’t intended: don’t let the client make SQL queries, create a protocol in which the client can suggest to the server to perform some logic, which might or might not result in a database query - the client shouldn’t even be aware of any database on the server. The server should always verify that the client-input is correct too.
[quote=“Riven,post:23,topic:39300”]
But if my server only has methods to save/retrieve a player-object or retrieve a list of highscores and such, how would someone hack that? Is it that easy to hack an object in memory? Can they know which part of memory to change to give their player a billion gold?
[quote=“Ultroman,post:24,topic:39300”]
Memory is easy to modify, if you can find the right values. Some flash games have obfuscated variables because of score-hacking. You should not log into your database with writing permission from the client, ever. Instead, ask the server for the data and let it retrieve it for you.
Making a secure highscore of a game whos logic is client-sided is an impossible task, as you cant verify the game was actually played. You can obscure the way, but if somebody really wanted to they can always do everything the code you give them can.
If you ever give anyone your ip, publicly, be prepared 
Not saying it will happen, but now it could.
Well, I was just thinking I’d have the game ask the server to save my Player-object, by passing the server-method a Player-object. Assuming I check the validity of the variables required for a Player-object, it shouldn’t be possible to hack the saving of a player, right? I mean, can they create an instance of Player without having the blueprint for it?
As for the highscores, I see what you mean…that sucks!
What about the server the game would be calling? Could they hack that and get the actual Java-server program too?
If not, I could make some gameID-generator on the server, which would give the current play-session an ID from some obscure algorithm, and then every time you try to save the player or a highscore, this ID would be sent as a parameter, and if it checks out, you get to save…wait…they could just call that method on the server to get a valid ID, right? Darn it! This is really demotivating 
One could at least make procedural checks each update on a few meaningful player-variables, such as health, points, kills and time, to see if any are changed in a manner in which they shouldn’t. Also, there could be made a check to see if system-time has changed in an unexpected manner.
There are many good ideas…but I guess they can find a way through them all >:(
Don’t spend too much time on this issue either. Just make it difficult enough that nobody will want to go through whatever it takes.
You wouldn’t make the ID generator publicly available, so that at least anonymous updates are impossible.
What do you mean by this? If my game can call a method on the server to request a valid game-ID, can’t a hacker do the same thing if he has reverse-engineered my game?
Yes, it only works if players need to register for highscores once, and get a session id after logging in.
If it is all worth it, is a different question…
The only way you can truly make sure, is to infiltrate the system EA-style. That is obviously the shitty solution. Really, you should just not care about it.
Minecraft’s system is very nice, but then again - it’s a paid game. I wouldn’t ever want to register for a free game. Also Puppygames system for verification is nice, but still wouldn’t for a free game. Cas’s highscores are probably not any safer, but if you’re going to slash through a games code to get to the top in the highscore… Come on, really. :emo:
This is getting super off topic.
Yeah, I’m NOT going EA And sorry about being off-topic, but…java-vira?
I had a thought…can a hacker see the size of an empty Object[]? And can he change it?
Because my plan was that whenever you pause the game, I’d create some empty Object[], like this: points = new Object[currentPoints]
Then when the game unpauses, I just set the currentPoints variable to the same as the length of this temporary array
Is that smart or stupid, haha? Then I could make the game pause when it doesn’t have focus, and if that idea works, that’d keep them from changing anything.
Too much work. Hypethetically, yes, they can do anything. The real deal is that nobody is going to, and if one does you can deal with it manually.
This is going on Steam…there are 12-year-olds there…and I’m giving them a highscore system :o There’s a Bill Gates III out there, 12 years of age, who will hack me for a highscore!