androidunity-game-enginefraud-prevention

How to detect the client which call the sever is not an official version of the game?


A hacker decompiled and published our game which is a trivia game. The unofficial version of the client shows the written answer to a question. When the client calls to request a new question, the server gets a question and its answer. Is there any way to detect that the client is not the official version?

We use some encryption methods and custom HTTPS certificates buy unfortunately all of them are decompiled. I'm looking for a way to detect the hacked version by the server and ban the cheater users.


Solution

  • Actually, You should have done this before, but no worries, prepare a key in the client and another one in the backend, they should match each other, this identifier helps you to understand which one is your client. so every call and every response must be handled by key passing and obfuscation.

    You should stop supporting the previous clients' versions and force all to update to the latest version, I don't know do you have a force update modal or not. maybe you can use push notifications to notify the user to update the app rapidly.

    Another thing, the security concern, you better obfuscate the key part of the app. to avoid another crack. the hacker must not have access to the key management part.