How to Prevent Cheating in an Multiplayer Online Android/iOS Game that Uses Google Play Services?

Question

I'm planning to make an MMORPG for Android and iOS. I will use Unity 5. I am also planning to store user values in a Google Server that comes with Google Play Services. I'm storing values like money amount, level, strength point, items in the inventory, skills unlocked etc. I am not planning to allow players play the game offline. They must log in to their Google account to play the game.

Here are the questions:

• How secure is my game? I mean, using Google servers to store data, I think players won't alter the game data, because all the data is in the server.
• Which method I should use to encrypt my data?
• Is Google Servers capable to store these amount of data?
• Can users use a third party program to alter data on the server? How to prevent this?
• My game will totally be online. Can communication operators able to send and receive these amount of data? Because server should check every step of the player. And players should be able to play the game when they are off home.
• I am planning to do some checks when certain requirements meet. For example, when player buys an unique item that worths 1 million golds, the game will check the server first, if the player has 1 million golds. Can anyone change the codes in the game file?

Answer 1

I am also planning to store user values in a Google Server that comes with Google Play Services

Nope. Don't do it.

I am not planning to allow players play the game offline

Good idea.

The answer to all your other question is that any game can be hacked. Any game server can be hacked. Using Google Play Services is even worse as you have no option to protect yourself.

If your game is online MMORPG, you need to get a server with a monthly fee or maybe even a dedicated server.

You cannot prevent hacking but you can reduce it.

Ways to reduce hacking:

1. Get a server instead of Google Play as there are things you won't be allowed to do on Google Play server. You can't run your own game script there AFAIK.

2. Players must register and sign in to play your game.

3. Do all your security/buy stuff on the server side. If you do it on the client side, it can be decompiled, modified and recompiled back on both iOS and Android.

For example, when player wants to buy something and that thing requires a score the player does not have, don't do that check on the player's side,do it on the server side.

4. When you detect that a player is cheating, ban the player, then ban the IP Address for about a week. Don't ban the IP Address forever because some people with DSL will be able to change their IP Address by simply resetting the modem. When they do so, you are now banning another innocent person that just got banned IP. You can ban the account forever or ban them temporary as a warning before banning them forever. You set the rules here.

5. You can associate each account with the player's MAC Address, iPhone UDID, device serial number or any unique number from the device. When the player is banned, they will likely try to sign up for another account. If the-same device is used to sign up, don't let the player sign up. Simple display a network error with a number. Don't tell the player that they couldn't sign up again because their account/device is banned. If you do, they can easily circumvent the ban mechanics and sign up again.

The use of account, custom server, banning players are the best way to reduce hacking on your network game. There are many other ways but I can't keep going.

What you need to know:

PHP, MySQL for the Server side. Unity C#, Unity network API for the client/Unity side.

Now, if you really want the network game to be >50x faster, Use C++ (FastCGI), MySQL Connectors for the server side. Unity C# + raw socket on the client/Unity side. I recommend you go with this route.