Jul 29, 2009
Cheaters! Cheaters!
High-score leaderboards in iPhone games are virtually ubiquitous, but as with any hastily-built system the opportunity for cheating and other misdeeds is ripe. On such a poorly-secured and highly-visible platform, hackers are not long to follow.
Cheater in Moon Drop
It comes as no surprise that online leader-boards are now an almost mandatory feature for any new game on the iTunes App Store, and many developers are integrating their leader-boards with popular social networks to further their reach. The benefits are seen not only by players who can now share their latest high-scoring game with their friends on Facebook, but also by the developers themselves, enjoying what amounts to valuable word-of-mouth recommendations among players.
However, as the iTunes store has shown us with prices and with quality, it can sometimes turn into a race to the bottom. The time investment of developing a separate online system — one which can easily amount to as much code as the game itself, is a large obstacle to many indie developers. By its nature, the development of such a sidecar product also falls under a sometimes entirely separate skillset of web administration, internet security, and large scale systems design.
A Cheater in Flight Control
So, many developers are faced with one of three options:
1) Omitting the online scoreboard entirely. Using a high-score list local to the device is fine, but players can’t share scores with their friends, and the opportunity for inter-player promotion is lost. It is a virtual certainty that users will post negative reviews chiding the developer for the omission.
2) Developing the scoreboard in-house. This is the route we chose for TowerMadness, but at the heavy cost of tasking one member of our team almost entirely to the scoreboard for the later portion of our development, an experience I’ll save for a future article. Our efforts are covered in this story.
3) Using someone else’s facilities. Many developers now use Twitter as their high score engine. A simple feat to implement — just search all tweets for those matching a specific pattern used by your game, separate the numeric portion, and list those on your in-game scoreboard. Simple, since almost no work is necessary the web-side, and one can assume that Twitter is pretty good at running their own servers reliably. The problem, is the obvious loss of control. Anyone can tweet anything they want, including fake scores for your game. There are protections against this, such as checking the User Agent on the tweet, verifying hashcodes, etc, but all are apt to be easily broken or spoofed on such an open system.
The obvious conclusion to make is that with such widespread weakly secured scoreboards, many scoreboards are susceptible to overruns by hackers taking over the top spots, and indeed this is what we are beginning to see on a majority of the popular leaderboards. This hacking is further facilitated by the ease of iPhone jailbreaking, giving relatively unskilled hackers the tools with which to unfairly boost their game performance.
What I find more interesting about these developments however, is what seems to be creeping just around the corner. A decade ago, viruses were written by hobbyists for glory and gloating but soon evolved into a platform for commandeering computers into botnets for mass emailing, phishing scams, and all sorts of nasty stuff. McAfee announced today that the volume of spam has increased 141 percent since this March to more than 117 billion emails per day, and this number is sure to continue to grow.
The concern now is that similar to the way spam has infected email, forums, messageboards, and even instant messaging, spam will gain a foothold on leaderboards as well. For example, a user could hack an advertisement [in the form of a username, and link to a twitter account plastered with the ad] into the highly-trafficked top spot of a popular game’s leaderboard, instantly enjoying many free views a day. A single leaderboard may not amount to many impressions, but what if a significant number of games are hacked at once? This is tantamount to valuable, focused advertising to an often lucrative demographic.
So what are developers to do? Well, help may be on the way. Several developers, such as Aurora Feint, are opening their scoring platforms (Open Feint, in this case) to the developer community. There are some benefits to the consolidation of scoreboards, mainly that users can enjoy a shared profile with shared achievements across several games, as users of Microsoft’s Xbox LIVE do. Moreover, any vulnerabilities in the system can be often patched at a global level, fixing all games on the system. The obvious drawback to such a scheme, of course, is that developers are limited in customizing the presentation of their boards.
These “shared” platforms seem to be the future, and many venture firms are starting to give these efforts funding. Whether a single one of these platforms will eventually take precedence remains to be seen. In the meantime, all you can do is encourage the developers of your favorite game to remain vigilant of their scoreboards in the hope that scoring will remain fun and fair for everyone.
