Fake scores in Google Play Game Services

Question

Some of the scoreboards have been receiving fake score submissions. Here is an example:

Top three scores seem fake

The same thing happened to a game I've made. Is there a way to protect one self from fake submissions and is there a way of moderating the scoreboards?

Have you found a better way to fight the cheaters except hiding their fake scores? — shelll, Feb 02 '14 at 17:54
For everyone. There is a management-tool from google gameplayservices on github https://github.com/playgameservices/management-tools/tree/master/tools/hide-o-matic read the introduction to learn how to use it =) — user3487188, Apr 06 '14 at 00:29

sagis · Accepted Answer · 2016-02-24T18:52:32.053

11

The most simple (and popular?) way users fake high scores is by using root access to edit saved data.

Few simple steps you can take in order to make it harder:

Don't hold the score as is in the memory or on saved state. For example multiple/divide by a factor & add a constant. Even better option is to implement an encrypted shared preference.
Add a check-sum to the structure holding the score (CRC32, MD5).
Validate the score to check no one played with it when loading from saved state or reading/writing in the memory.
Use ProGaurd to obfuscate your code. If you're making money use DexGuard which is much stronger and will also make software piracy harder.

edited Feb 24 '16 at 18:52

answered May 15 '14 at 13:10

sagis

2,162
18
24

can you explain #3 a bit more ? – jesses.co.tt Feb 23 '16 at 17:01
2

It's basically the same as (2) - validate the CRC code. – sagis Feb 24 '16 at 18:48

score 7 · Answer 2 · answered Aug 20 '13 at 15:00

7

Two techniques I would recommend...

Add a maximum and minimum value to your leaderboard in the Developer Console. If you have a leaderboard for total stars and there are only 180 stars in the game, set 180 as the maximum value. That will ensure cheaters don't end up adding these fake looking scores.
Check out the players.hide() call. This will hide a player and all of his/her scores from the public leaderboard so that nobody else can see them. Please note this REST call is not built into the mobile libraries; you'll need to create your own mini web app (or make curl calls directly) to use this call.

answered Aug 20 '13 at 15:00

Todd Kerpelman

16,875
4
42
40

2

This does not completely solve the problem. Even the score of 180 can be a fake score submitted by a cheater. Google should somehow handle submitting fake high scores, like they handle in app purchases e.g. by signing each submit score request. – shelll Feb 02 '14 at 17:53
You cannot prevent fake scores. All you can do is to make it harder to accomplish. – kupsef Aug 06 '14 at 08:01
@Todd in player.hide() call, from where will we get the value of the parameter "playerid"?(if you don't mind) – DroidHeaven Mar 19 '15 at 03:24
@DroidHeaven you can get them by making a scores.list() call -- that will let you see all of the scores / playerIDs of each player who has submitted something to that leaderboard. – Todd Kerpelman Sep 02 '15 at 21:16

Fake scores in Google Play Game Services

2 Answers2