Kryonet: Can I trust the client? (Beginner question)

I have a turn based game where the user clicks a button in the client, the client sends a message (an object registered with kryonet that is), the server then has the user’s hero perform an action depending on the message.

In theory, if the client sent another (correctly formatted and expected) message, the server would accept it without questioning. For example cast a fireball targeting all enemies, when it should only be able to target one.

It isn’t possible to cast let’s say a spell you haven’t learned, but I’m sure it’s obvious what the problem is.

Currently it’s impossible for the user to be able to send unexpected messages through the client, the server tells the client which messages it should be able to send at any time, but it is not guarding against the client not confirming to that.

Is that secure enough or should I be afraid of users somehow hacking the (android) client?

Also, is there a standard way to handle this? The range of dealing with this goes from just accepting the (hacked) messages, terminating the game (meaning I assume anyone sending a wrong message can’t be innocent), giving the user feedback and chance to re send correct message, or ignoring the message and trying to come up with a game fitting interpretation (fireball - all is interpreted as fireball - single), with the last being so much work, I can’t imagine it to be standard.

While this is an important topic for many games, do you currently have a game that enough people will play that hacking becomes an issue? I would leave any anti-cheat checks for now, and deal with it when the time comes. Out of the solutions you have for how to resolve an invalid packet, you could either kick the player or ignore the message. Don’t do any fancy stuff, keep it simple.

I don’t have anybody playing yet, since I’m new to everything I have to pick my battles and hoped neglecting this for now wouldn’t be horrible which it seems it isn’t, so that’s cool, thanks.

The question is never whether you can trust the client. You almost certainly can not.
The question should be whether your trust is misused, and if so, whether that actually matters for the game.
So yeah, especially if you are just getting into it, try to get it all working in the first place.