I am trying to implement a system in which a player can register, play and get points. How to make the balance of points that is stored in his account, could not hack the player himself or another player? Does it have to be restrictions in the code or in the database? I have a database, but the rules are set by default, it seems to me that they need to be changed.

Code entry points in the database as follows:

import Foundation import UIKit import Firebase import FirebaseDatabase let ref = Database.database().reference() let userID : String = (Auth.auth().currentUser?.uid)! class GameCoins: UIViewController, UnityAdsDelegate { @IBOutlet weak var currencyLabel: UILabel! override func viewDidLoad() { ref.child("users").child(userID).observeSingleEvent(of: .value, with: { (snapshot) in // Get user value let snapshotValue = snapshot.value as? NSDictionary let balance = snapshotValue!["coins"] as! Int self.currencyLabel.text = "\(String(describing: balance))" }) { (error) in print(error.localizedDescription) } super.viewDidLoad() } func gameMoveDidFinish(_ placementId: String) { if (state != .skipped) { ref.child("users").child(userID).observeSingleEvent(of: .value, with: { (snapshot) in // Get user value let snapshotValue = snapshot.value as? NSDictionary var balance = snapshotValue!["coins"] as! Int balance += 1 ref.root.child("users").child(userID).updateChildValues(["coins": balance]) self.currencyLabel.text = "\(String(describing: balance))" }) { (error) in print(error.localizedDescription) } } } }

The base and rules are listed below: enter image description here

 { "rules": { ".read": "auth != null", ".write": "auth != null" } }

I know that if you store points in NSUserDefaults, they can be easily cracked, so they use keychain. I get to store data on Firebase, but in the subject which should put a limit on writing and reading I understand very bad. I would be grateful for any recommendations and amendments, I want to figure out how to ensure the security of both the player and the application from hacking.

    1 answer 1

    I don’t know Swift, but I’m familiar with Firebase and faced such a task, so maybe my advice would be useful. Usually, when using Firebase Database for games, or applications with the need to add complex backend logic, they rent a third-party server. Only this server can write data in Firebase. The client itself can only read the database.

    A standard query follows this path:

    1. The client sends a request to the server.
    2. The request is checked by this server (for example, can a player get 5,000 points at once, as written in the request, when only 10 points are given for the victory).
    3. When approving a request, this server writes data to the Firebase Database; in case of disapproval, nothing is written.
    4. The client calls a callback from Firebase with new data.

    In the Firebase rules in this case, the write is just false .

    If you need tutorials, how to give rights to a third-party server to write to Firebase, how to handle requests, etc., you can start from here , Google App Engine has a free period that will help you not only understand the implementation, but also look at the work product . And as you will understand you will think about changing the hosting, if you want.

    PS In such a bundle you get the convenience of Firebase, save a lot of time, because Firebase does a lot for you, but maybe it will be more costly for money than if you implemented everything with one server. I also advise you to look at the prices and weigh the pros and cons before production. I would also like to note that Google App Engine does not support tcp / ip and udp / ip, so if your game is dynamic, you will have to think of something else, for example, completely migrate to amazon web services, because http may be too slow for your case.

    • Thanks, but if I, for example, set the initial number of points in the code, 0 - setValue (["coins": 0, "email": self.emailTextField.text!]), Set my limits (which are in question) and set the function which each time you click increases this number of "coins" points by 1. At the same time, I myself can’t change this value in the database, because it is already set and changes only when the function is executed. It turns out that the user may still have some access at this moment, for example, to change the initial value or the number that is added to the "coins" if he breaks the code? - Diana
    • or it turns out he can just track the value of coins transmitted to the server and change it? - Diana
    • one
      The @Diana client can change the values ​​of any of your variables whenever it wants, including the balance variable. GameGuardian (for hacking), for example, can help the player with this. To intercept the request and edit it to re-send, the user does not succeed, because Firebase encrypts messages to the server using TLS. - Maxgmer
    • one
      @Diana if you have the balance variable only at the time of incrementing the value from the database and there are no other specific records like this that need to be protected, then you can stay with Firebase. To catch this moment, you will need a third-party software, like GameGuardian does not have options for such cases. So, the student will not be able to hack your application. And more difficult moments will decide when you earn money from the application. - Maxgmer
    • one
      I know that you can’t say thank you here, but still thank you so much for a detailed explanation! - Diana