Making more secure games is crucial in any type of game, especially ones that integrate any type of complex features such as payments, tradeable items, multiplayer, blockchain, etc. This blog post will talk about some of the obvious pitfalls to avoid while developing your next big hit.
Don’t Trust the Client
The “client” is everything that is not the server. This generally means the user’s machine, browser or downloaded software.
The user has access to the game’s files, therefore will never be able to be fully trusted. They might have changed a line of code to receive 100 coins instead of the usual 10, they might have changed the price of an item from $1 to $0.
They might even request information from the database that might be sensitive data about other people such as their address or password.
All of these issues stated above are big “No-No’s” and should be avoided at all costs.
Server Side Logic is the Safest Route
Think about traditional websites, when pressing buttons, instead of directly communicating with the database, the browser sends a request to a server that verifies the validity of what the user is intending to do.
If it is a valid action, the server performs changes in the database and returns an answer to the client. The client becomes what is essentially a controller.
Much like in a game, you are unable to directly tell the character to move forward, instead you press a button that tells the game that you want to move forward.
Server-Authoritative Realtime Netcode
Much like what was outlined in the previous part, to make a truly secure game server, all of the important logic must be kept on the server.
Running dedicated servers, however, does not have to be cost-intensive as Hathora and other similar services are able to offer low-cost, scalable dedicated servers.
The issue, however, is that the server side logic generates “Lag” issues as there is a delay between the time when you decide to perform an action and the time where you receive a response back from the server.
This is usually measured in milliseconds and might take up to 400 ms depending on the server’s physical distance to the client.
While 400 ms doesn’t sound like much, players can feel it and therefore a fix must be made. But how can we do that without running the logic on the client side?
Player Prediction Algorithms
In order to “fix” apparent lag, game developers implement a series of important prediction algorithms.
The most common technique is to run a copy of the code on the client side. As soon as the message is sent to the server, we decide not to wait for an answer and instead already go ahead and perform the action.
If however, the server returns an error, such as saying that there was a wall and walking was impossible, then we rollback to where we were before. This makes the game feel a lot smoother without changing the game’s rules.
CyberSecurity Outside of Gaming
One thing to remember when thinking about cybersecurity in game development, is that the game’s code is not the only place that must be secured. Phishing is a very common technique used to gain access to servers and accounts.
Make sure to enable 2 factor authentication everywhere you can and only accept the sign-in request once you are certain of who is currently trying to access the specific service.
Create truly safe passwords and don’t share them with anyone that you don’t trust. If the service offers account segmentation per team member, make sure to do that so you can manage access and receive log registries to everyone that accessed the service.
While it may sound obvious, make sure you do not install suspicious software including browser extensions that may put your work at risk. Have up-to-date antivirus software installed on your machine and consider requiring a VPN to access your services by IP locking specific requests.
Never Store Plain-Text Passwords on Databases
Many people do not know about hashing and salting passwords and it is a very simple trick to obfuscate passwords so that potential invaders do not get access to other services that your clients might be using.
Websites that send you an email address with your password written on it, to help you regain access to your account, are obvious red-flags in regards to security issues.
Ideally, the server will not know what your password is, only if it is valid or not.
Consider SSO Login Instead of Custom Solutions
By using services such as the Google or Facebook login, you can skip account handling entirely and therefore not have to worry about password encryption, resetting passwords, forgetful users and other hassles that services must go through.
These SSO services allow you to offload the work to them instead, receiving only a token that can be used to identify the user on your platform. Other information can still be requested freely, usually even through the platform such as emails and names.
Final Considerations
Security is a very important factor that must be taken into account on every software that is developed, it is also a very long topic that spins hours of conversations. However, most developers overlook the importance of it and might later run into issues.
There are, however, easy things that can be done to instantly increase the overall security of the software. Working with a specialized cybersecurity team might be a great idea if that is an important factor for you and your company.
Consider reading up on our other blog posts here to learn more about the world of game development.
