How to keep a multiplayer game safe from cheating?

:information_source: Attention Topic was automatically imported from the old Question2Answer platform.
:bust_in_silhouette: Asked By Nikola-Milovic

So I am making a non-realtime mobile multiplayer game that cheating would be rather simple to achieve and would ruin the experience for others. The way I have it set up for now is, the Server handles all of the currencies, inventory and all the stuff player owns, nothing is saved locally. But I am scared about the actual files of the game, how difficult would it be to change the hardcoded item damage values for examples and such? I’ll go with an authoritative approach to most of the aspects of the game but I don’t really wanna do everything server side. So to put it more concisely these are my questions:
(using nakama)

  1. What can I entrust to the client to send to the server? (Using RPC)
    eg. Can I send rewards from battles to the server to save or should I also calculate and send that to the client from the server?

  2. How safe are my spell damage values, health values and etc… that are a part of the actual code/ resources and such?

  3. Can I somehow verify that the game hasn’t been tampered with, that the files are same as the original .APK?

  4. Are there any tools/ tricks/ tips that can be useful to use to address this issue? I don’t mind challenges and I’d like to try anything to achieve safety to some extent. I assume there are options for this as there are plenty of mobile games/ applications that would suffer from tempering with the files and such.

1.1) Adding to the first question, can I do reward/ slot machine calculations in the client and send the values to the server to add the rewards? Where would that chain be intercepted? When sending the values or while generating them?

Thank you for your time! Idk if I was clear enough, please ask me to expand upon something if needed.

:bust_in_silhouette: Reply From: dustin
  1. The inputs are the safest thing you can have sent to the server(since you cant really hack the inputs to gain an unfair advantage).

  2. The values in your source code could be tampered with, but putting those values in the server would lessen the possible chance of cheating dramatically, and possibly to 0.

  3. You probably shouldn’t, and I dont think that’s even possible. It would be better if you save the hardcoded values into the server, so nobody can tamper with the values (as long as the server is safe and cant be tampered with, and I assume nakama is).

  4. (1.1) honestly I dont know where the chain can be intercepted, so best you can do to be safe is to do the reward/slot machine calculations in the server and send it to the client, which will then be shown to the player after some animation so they feel like the randomness comes from the client.

I dont know why you’d want to do the calculations client side(I would love to know why), but if you want the most anti-cheat system to your game, you should probably do a lot of the things you mentioned server side as people dont have access to the server, meaning all they can do is play the game as intended. It most likely wont slow down the server since its not a real-time multiplayer game(I assume its some turn based game of some sort).