"Ladislav;c-1938332" wrote:
That does not solve the problem I described. If the cheat sends results which are possible with the given setup, nothing will be detected. Very raw example: you have Jawa team and it can sometimes beat Geonosians. But depending on RNG it may not work all the time or you may loose quite few Jawas. You just need to see data of one battle where it work and cheat can send similar every time - cheaters Jawas will always win. We can go even further with mirror matches. To detect such anomaly, you need server side processing and some ML on top of historic data.
I don't how exactly Android / iOS development works. Is there a secure storage? Is there per app certificate store? Is it possible to play the game on rooted / jailbroken devices? Does rooting / jailbroking exposes secure storage or certificates? Because all this cheating is tampering with data send to server and that would not be possible if data were signed unless the cheat can access the signing key / certificate.
The problem you described isn't actually a problem. Gather the first random seed from the server, or base any random seeds off of the battle time and validate against it, sending duplicate battle results from old battles will no longer be an option if it even is right now. You don't need server side processing at all, you just need a way to validate a deterministic input in the data.
It's quite easy to "root" an Android operating system, some phones allow this out of the box others you can easily install a custom image over unlocked bootloaders. I think most of the tampering is probably done on emulators just because it's an easier environment to work with but I don't know that for sure. The actual cheating that has been unearthed recently and has gone undetected has to do with client-side memory tampering. There's not a great way to detect this because anyone able to do this kind of tampering is usually able to tamper with the checks as well, unless perhaps they came up with some clever trickery. Even detecting if an operating system is "rooted" is pretty much impossible for people who take the right steps. Even then, people with rooted systems are sometimes people who spend a lot of money on games and don't actually cheat.
As far as signed data goes, it's possible they could come up with a time-based hashing algorithm that's difficult to spoof, but if you can tamper with the application memory in the first place it's easy enough to just send the server the results it wants from any checksums or anything like that. It's also something you'd have to stay on top of every step of the way- literally any move can be tampered with at any time and one can revert right back to the stock data set.
Capital Games Team
