i have a idea for a multiplayer mobile game. I thought about a browser game, so IOS and Android users can play it.
But i dont get something... If i build the game with mostly javascript, its very attackable for hacking attacks, isnt it? I mean, if i do some ajax requests to the server, everyone could open the developer tool in internet explorer, set a breakpoint to the request and change some data before the request will be sent.
For example: The user get some money in the game. now i want to send the new amount to the server to save it to the database. Some "bad" boys could change the money value before the request is sent and the server get the manipulated value.
Is that correct what i am telling? or are there any security features which i could build in the game?
So i searched for a multi platform mobile engine, but i couldn´t find the right one. I found spaceport.io but its not released yet.
are there any other engines which i could use?
Oh... and i dont have much money ;-)
Yes, javascript is insecure that way, as pointed out, but so are other engines. They just take more work to hack.
The important point here is to insure the client is only sending user input back to the server, and the server is calculating the actions based on the inputs, and returning the response.
For instance, if the client says "I just opened a chest and it gave me 100 gold, add it to my balance" the user can easily hack it to say "I just opened a chest and it gave me 100,000 gold, add it to my balance".
Instead, the client would say simply "I opened the chest." And the server would say "that chest had 100 gold, it has been added to your balance."
In addition, the server should know where the player is based on movement requests sent to the server. Rather then the client saying "I opened the chest at this location" it should just say "I opened the chest where I am" and the server should know where the user is, so they can't just spoof all the chest locations and open them all without actually moving around.
This means also that the client shouldn't be telling the server where the player is, but simply giving movement notifications. IE "I moved one block north." "I moved one block east" Then the server can log those, act on them, and keep track of where to user is to look for hacks. If the user tries to change their location without sending all the movement requests, the server would not act on the players spoofed location.
For speed purposes, it's ok to have the client just move the player after sending the movement request without waiting for the server response, but if the server responds with "nope, your not where you think you are, your here instead" the client responds by correcting on it's side to match the server. This is what causes games to jump around, or backwards when they lag. The client has updated the movements to remain fluid and responsive, but due to lag, the server didn't get the movement requests, or got them late so the client has to correct.