What are some ways to deal with hackers?
I have players who tell me that they're going to upload APKs of my game to hack it.
We have a SQL backend that needs to be protected, but is there anything to worry about Normcore-side?
6 Replies
Hi @Alix Ollivier. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Based on the knowledge sources, here are some ways to deal with hackers and protect your Normcore implementation:
Normcore's Built-in Security
Normcore provides several security features by default:
1. Encryption: All data is encrypted by default. Normcore uses DTLS to encrypt all packets, which is the same technology web browsers use for secure connections.
2. Ownership and Lifetime Flags: For most games, Normcore's ownership and lifetime flags APIs give you control over which clients can modify data in your rooms. This prevents unauthorized clients from modifying game state they shouldn't have access to.
Additional Protection Options
If you need more robust cheat prevention beyond the ownership and lifetime flags:
- Authoritative Game Servers: If you've hit the limits of the ownership APIs, Normcore Private supports authoritative game servers that can validate and control all game state server-side.
- Webhooks API: With Normcore Private, you can use the Webhooks API to authenticate users before they can join a room, allowing you to verify users against your own database.
Important Note
While Normcore provides these security features for the multiplayer state synchronization, your SQL backend security is separate and needs to be protected using standard backend security practices (authentication, authorization, input validation, etc.). The Normcore-side security features primarily protect the real-time multiplayer state, not your external database.
If you need more specific guidance on implementing these features, I recommend reaching out to the Normcore community on their Discord.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
<@185325614775926784> Kapa.ai is still learning and improving, please let me know how I did by reacting below.
It really depends on what you think they’re going to mess with. Unfortunately regardless of what networking system you pick, they’re going to be able to do anything a regular game client would be able to do
I highly recommend integrating Meta’s server to server entitlement check API. That prevents hacked APKs from working in all cases that I’m aware of.
^^^
Normcore-wise there's no preventative measures to stop them from connecting to your app, so I'll just list a couple things that I do to prevent exploiters
Metadata encryption is a good thing to invest in for with Quest games, this will:
1) Break most public tools that rely on metadata to decompile/load (il2cppdumper, cpp2il, LemonLoader, etc.)
2) Stop the majority of Quest modders; on Quest 2 it’s really hard to get the unencrypted metadata because of app isolation, but Quest 3/3S are more problematic since there’s been some rooting, though access to the rooting tools seems locked to private Discord servers. Emulators are a different story however..
I have an aggressively inlined method called
ForceClose that throws a bunch of tactics at the game if tampering is detectedd that does the following:
1) Application.Quit()
2) Application.Quit(0) In-case they forgot to account for the second method overload in patching
3) UnityEngine.Diagnostics.Utils.ForceCrash() This one is more unknown
4) Literally just a while true loop to freeze the game
Then afterwards I
1) Compare the signature of the game at runtime, and run ForceClose if it doesn't add up
2) Scan loaded assemblies for any abnormalities / known modding DLLs (MelonLoader.dll mainly) and use ForceClose if something doesn't add up
3) Do directory/file checks, think wisely about this part, because most exploiters will naively patch Directory.Exists/File.Exists to return false all the time
When looking at this you should assume that it's never if an exploiter can mod your game, it's when, so it's best to just throw absolutely every security measure at them lol. Also yeah use the entitlement check API, I've seen only a single case where someone got around thishere's another one for the list System.Diagnostics.Process.GetCurrentProcess().Kill();
Hurray lol