I’m running Flash 8 and have developed a high score system that I can easily plug into various games. The problem has always been that players will find a way to hack the communications protocol and figure out how to submit their own scores. I’m sure this was easily done by getting the network packet and then inserting their own score and creating a direct request to the server, bypassing the game entirely.
So, I decided that I would further secure things by encoding the request with an MD5 hash. I might first create a string like “username=bob game_id=7 score=56000” and MD5 it. Then I would pass the MD5 value, along with the other 3 values, to the server via a request to a PHP script.
The problem is, it still gets hacked. Admittedly much less frequently, but it still happens. I think that because the code in a Flash movie is so easy to extract, hackers are able to find the call to the MD5 function (I had converted someone’s Javascript MD5 code to Actionscript and put that into my own function) and then they know the format of the request as well as how to generate the MD5 hash.
So, I still have a problem because the source code can be extracted easily. How am I supposed to fix this? How am I ever supposed to create pseudo-secure communications when any code I write can be read?
Thanks for any pointers! 