Securing HTML games is it possible?

[clark]

My boss asked me today about my thoughts on attempting to secure games. 

In the past we had an encryption tool built into the build process of our Flash Games. It was a great tool and made it pretty impossible to just steal the SWF. 

Maybe a (easy to crack) domain check, or obfuscating the JS.... They seem like pretty meagre approaches but the best I have heard of. 

Basically, if someone is going to steal your game, should you just accept it and move on or is it worth spending time looking for solutions?

Thanks!
 

[Sebi]

You can't. All you can do is to minify your code.

No matter how you try to encrypt your code, you always have to provide a method to decrypt it so that the browser understands what to do.

 

If someone steals your code, then you can file a DCMA Takedown Notice, file a lawsuit, contact the one who stole your code, etc.

Another thing you can do is to work with websockets and keep some of the code serverside. That makes it harder for the average pirate,

[rich]

Here you may want to look at this: https://jscrambler.com/

[prtksxna]

The first part of Lostcast Episode 3 talks about code obfuscation with closure compiler. It might be helpful to give that a listen.

 

But if I remember correctly, their short answer was "No" 

[Luis Felipe]

I've also heard about offloading .js files onto different servers. Did I understand correctly? However, wouldn't this cause problems on mobile in terms of latency?

[Robert O'Rourke]

It's interesting all this. I'm not really bothered about locking down the actual code as it's the intellectual property that's important, plus 'view source' is basically how I learned front end development to begin with!

 

One thing that's difficult to lock down with HTML5 games is folks gaming the system by faking ther scores etc... via the console. Bit annoying if you want to run a leaderboard. That's something I'd like to find a secure solution for.

[logicking]

The only thing you can do to have secure your code in you game is to put part of the code on the server side. NodeJS can help a great deal. But of course you'll need to have constant internet connection

 

But if the game is simple enough minify code will be enough since creation of the similar game will cost cheaper then reverse engineering it. 

[Bloodberet]

Here you may want to look at this: https://jscrambler.com/

 

This might be worth knowing about Javascript obfuscators.

 

See more: http://blog.kotowicz.net/2010/04/beating-javascript-obfuscators-with.html

 

Although Google is using Javascript obfuscators for examples Google Maps and they even say one of the nice side effects of GWT is code obfuscation.

 

Google have comment the topic on their FAQ for Google Web toolkit: http://code.google.com/webtoolkit/doc/1.6/FAQ_DebuggingAndCompiling.html

 

 

By default, GWT obfuscates the JavaScript it produces. This is partly done to protect the intellectual property of the application you develop, but also because obfuscation reduces the size of the generated JavaScript files, making them faster to download and parse.

[Bruno Assarisse]

It's interesting all this. I'm not really bothered about locking down the actual code as it's the intellectual property that's important, plus 'view source' is basically how I learned front end development to begin with!

One thing that's difficult to lock down with HTML5 games is folks gaming the system by faking ther scores etc... via the console. Bit annoying if you want to run a leaderboard. That's something I'd like to find a secure solution for.

I think the same. If it's on the web, I accept that someone could copy it, but I can't figure out which is the best way to prevent fake requests, since this could affect the other players.

[Bloodberet]

I think the same. If it's on the web, I accept that someone could copy it, but I can't figure out which is the best way to prevent fake requests, since this could affect the other players.

 

True, that's the main issue I think for HTML5 games have aheads to prevent fake request.

[Robert O'Rourke]

I found this playtomic self-hosted backend server and got it set up locally without too much hassle: http://playtomic.org/

 

When I created it and ran a few API calls I noticed it has tables labelled as 'Ban' lists. I haven't dug through the code much but hopefully it means it has some sort of detection for spammy submissions. You can also be explicit about the Allow-Access-Origin header so the request has to come from your game URL. I know people can still use the console but seeing as you can store game variables on the server it could certainly help.

 

I guess obfuscation and something like playtomic is the way to go.

[spleen387]

closure compiler is great for making it unreadable but theres no way to completely ensure this when running in a browser.

however apparently v8 has the ability to precompile 

[Froton X]

I heard that Game Maker obfuscates html5 exports for that very reason.

[DarkSpace]

I heard that Game Maker obfuscates html5 exports for that very reason.

Can anyone speak to the strengths and weaknesses of varying obfuscation solutions as they compare to each other? Also is the Gamemaker obfuscation optional? I'm picking up an HTML5 Studio license and I'd like to make some changes to the code it spits out before releasing it into the wild.

[Zaidar]

Do someone tried JSON Web Token ?

 

http://www.sitepoint.com/using-json-web-tokens-node-js/

 

I think Clay.io use it for API calls.