clark

Securing HTML games is it possible?

Recommended Posts

My boss asked me today about my thoughts on attempting to secure games. 

In the past we had an encryption tool built into the build process of our Flash Games. It was a great tool and made it pretty impossible to just steal the SWF. 

Maybe a (easy to crack) domain check, or obfuscating the JS.... They seem like pretty meagre approaches but the best I have heard of. 

Basically, if someone is going to steal your game, should you just accept it and move on or is it worth spending time looking for solutions?

Thanks!
 

Share this post


Link to post
Share on other sites

You can't. All you can do is to minify your code.

No matter how you try to encrypt your code, you always have to provide a method to decrypt it so that the browser understands what to do.

 

If someone steals your code, then you can file a DCMA Takedown Notice, file a lawsuit, contact the one who stole your code, etc.

Another thing you can do is to work with websockets and keep some of the code serverside. That makes it harder for the average pirate,

Share this post


Link to post
Share on other sites

It's interesting all this. I'm not really bothered about locking down the actual code as it's the intellectual property that's important, plus 'view source' is basically how I learned front end development to begin with!

 

One thing that's difficult to lock down with HTML5 games is folks gaming the system by faking ther scores etc... via the console. Bit annoying if you want to run a leaderboard. That's something I'd like to find a secure solution for.

Share this post


Link to post
Share on other sites

The only thing you can do to have secure your code in you game is to put part of the code on the server side. NodeJS can help a great deal. But of course you'll need to have constant internet connection

 

But if the game is simple enough minify code will be enough since creation of the similar game will cost cheaper then reverse engineering it. 

Share this post


Link to post
Share on other sites

Here you may want to look at this: https://jscrambler.com/

 

This might be worth knowing about Javascript obfuscators.

 

See more: http://blog.kotowicz.net/2010/04/beating-javascript-obfuscators-with.html

 

Although Google is using Javascript obfuscators for examples Google Maps and they even say one of the nice side effects of GWT is code obfuscation.

 

Google have comment the topic on their FAQ for Google Web toolkit: http://code.google.com/webtoolkit/doc/1.6/FAQ_DebuggingAndCompiling.html

 

 

By default, GWT obfuscates the JavaScript it produces. This is partly done to protect the intellectual property of the application you develop, but also because obfuscation reduces the size of the generated JavaScript files, making them faster to download and parse.

Share this post


Link to post
Share on other sites

It's interesting all this. I'm not really bothered about locking down the actual code as it's the intellectual property that's important, plus 'view source' is basically how I learned front end development to begin with!

One thing that's difficult to lock down with HTML5 games is folks gaming the system by faking ther scores etc... via the console. Bit annoying if you want to run a leaderboard. That's something I'd like to find a secure solution for.

I think the same. If it's on the web, I accept that someone could copy it, but I can't figure out which is the best way to prevent fake requests, since this could affect the other players.

Share this post


Link to post
Share on other sites

I think the same. If it's on the web, I accept that someone could copy it, but I can't figure out which is the best way to prevent fake requests, since this could affect the other players.

 

True, that's the main issue I think for HTML5 games have aheads to prevent fake request.

Share this post


Link to post
Share on other sites

I found this playtomic self-hosted backend server and got it set up locally without too much hassle: http://playtomic.org/

 

When I created it and ran a few API calls I noticed it has tables labelled as 'Ban' lists. I haven't dug through the code much but hopefully it means it has some sort of detection for spammy submissions. You can also be explicit about the Allow-Access-Origin header so the request has to come from your game URL. I know people can still use the console but seeing as you can store game variables on the server it could certainly help.

 

I guess obfuscation and something like playtomic is the way to go.

Share this post


Link to post
Share on other sites

I heard that Game Maker obfuscates html5 exports for that very reason.

Can anyone speak to the strengths and weaknesses of varying obfuscation solutions as they compare to each other? Also is the Gamemaker obfuscation optional? I'm picking up an HTML5 Studio license and I'd like to make some changes to the code it spits out before releasing it into the wild.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.