How to discourage offline cheating

I am well aware that offline cheating is in no way completely preventable but I simply want to discourage the easiest cheat of changing system time on the phone through the Clock app for both android and IOS.

I am planning on giving my players a reward every three days but I do now want them to change the time and all of a sudden get 1000 years worth of rewards (exaggerating of course). My game is completely offline and I am doing this simply to discourage the easiest form of cheating. Those who truly want to cheat will find a way around and that is ok but a simple discouragement will prevent and/or stop most invasive thought of cheating my players will have.

The game has no leaderboards and is also not pay to win so this should stop and discourage most attempts.

I was thinking of implementing something like this that I found on another thread, thoughts?

Code (CSharp):

1. public static long ElapsedTime()
2. {
3. if (Application.platform != RuntimePlatform.Android) return 0;
4.  
5. AndroidJavaClass systemClock = newAndroidJavaClass("android.os.SystemClock");
6.  
7. return systemClock.CallStatic<long>("elapsedRealtime");
8. }

 

If is offline, why do you care? If someone enjoys by 'cheating', let them do it.
Otherwise, use server.

 

Probably IAP, judging by the reward system he mentioned.

Edit: also, server connection to an offline game is a horrible DRM, and I for one won't play a game I do like because of S*** like this.

OP, can't answer, I actually encourage offline "cheating" in my game (like making the save file in understamdable json and not in binary for example)

 

Agree that DRM for offline is killer app idea.

But one to find cheating way, even if most obscure way, will eventually submit its high score. And end up on top leaderboard with ridiculous score forever more. Then others will follow suit, and leader board will be race on best 'cheater'.

As result leader board will be as tons of leaderboard out there. Full of cheated scores. Nothing fun to compete against. That specially if leader is public.

Therefore, don't bother with tackling cheaters, and if is offline, don't bother with public leader boards.

 

Quoted for emphasis. I play a lot of games on the subway and this is one of my few "instant delete no matter what I think of the game" triggers.

The easiest thing to do is to make it only give 1 reward after 3 days, even if it's been 10 years, and also make it only give this reward once per app start-up (set some static flag). With that system, the user would have to set the clock, start the app, force quit the app, set the clock again, start the app, force quit the app again, etc, etc. Just make the process annoying.

You can also do something if you ever notice the clock going backwards, which, if they're clock cheating, it will do eventually. Don't completely brick the game, but maybe stop giving the free rewards until the app sees the Internet for a "correct time", and then when it does, compensate for whatever rewards they've gotten illicitly.

 

As StarManta says, the traditional thing to do is to somehow mess with the player if you ever notice the system time has moved backwards.

If you choose to go that route, you should probably only penalize the player for large jumps back in time. If they correct their system clock by a few minutes, or go back an hour for daylight savings, you probably don't want that to trigger your cheat-detection.

 

@Antypodish's comment still stands. don't bother. If purchases play into this, well, you've brought it onto yourself by trying to mix time- and fund-based earnings.

The simplest approach here is to realize that setting the time and date on a phone isn't really something that you can do easily (let's say practically), since most of these devices get current time externally, and doing it manually is inconvenient at best. This doesn't mean that it's impossible, just less probably.

So, always save the 'latest time', so your player accrues only after they go past the time they cheated to last time (they'll have to keep book), and - as mentioned before - restrict the amount earned to a maximum. Pretty soon the cheating Player will be frustrated, starts to badmouth your game, and everyone loses. That tends to happen with games that prioritize anti-cheating over fun.

 

No in app purchases. This app is entirely for non-profit. No leaderboards too. I have studied a lot of game theory and even if there is no intrinsic or external reward for cheating and cheating would actually make the experience worse, some people still do it. A small discouragement should be enough and it is all I want.

How would I go about doing this?

Do I create a variable in my app that tracks time since last opened? And then when it is open again it calculates a delta? So pseudo code coming here but:

If ((currentLoginTime - lastLoginTime)>3 days)
{
give reward and set lastLoginTime to currentLoginTime
}

Because I was originally thinking of giving the reward for every three days regardless of when the player came online. So if the player was away and came back after a month, 10 times the rewards but I guess this seems better. Like you guys said. I also have no idea of networking and I am a rookie programmer so I would rather not complicate things and insert spaghetti code with DRM and server checks. But out of curiosity, how would this server check look like?


And sorry about not answering guys, I had to go yesterday. I am not trying to implement 15 different anti-cheats just trying to discourage it. If a player wants to truly grand 15 hours changing the settings on the clock, well, who am I to stop that crazy determination.

 

Changing one hour, or one year is no much difference.

Following your explanation, for simplicity what you need, is to store last logged time. If someone decide jump os.tome one week ahead, it will get reward. But then if come back clock to real time, and jump clock time again by one week, your game will remember latest logged time. And will say NO NO to rewards, as current time is no greater than last recorded time.

So obviously player now need jump 2 weeks ahead, and will get reward. But then if decided play for two weeks withouth cheating, with os real time, it will receive no rewards, until 2 weeks + 3 days passes.

If someone jump os time ahead one year, you record latest date. Player get reward.
But then player will get 0 rewards for next whole year, if playing without time cheating.
Tough luck.

While this implementation is dead simple, weather is worth to do, is up to you.
You are risking negative bomb reviews.

 

Basically it would be

Code (CSharp):

1. float lastLoginTime = getFromSaved()
2. float currentLoginTime = getNow;
3.  
4. if (currentLoginTime > lastLoginTime) {
5.    // it looks ok, but no guarantees
6.    float lastRewardTime = getFromFile();
7.    if (DeltaTime(lastRewardTime, currentLoginTime) 3 Days {
8.       // hand out reward
9.       saveLastRewardTime(currentTime);
10.    }
11.    // save current Login time
12.    saveCurrentLoginTime();
13. } else {
14.    // something fishy is going on.
15.    // at a Minimum, DONT save currentLoginTime to
16.    // prevent going back and forth in time
17. }

You have two saved values: timestamp for last reward, and timestamp for lastlogin. you only look at last reward if the current logn checks out against the last login.

 

Hmmm. I see. Then If I don't want to risk the cheater getting frustrated i would have to implement as well if the currentLoginTime < lastLoginTime, then the last one is the current one. So the cheater would be able to cheat but with work. Sounds nice honestly.

 

Any sufficiently advanced DRM will create a black market for l337 H4ck3rz to sell their solution.

 

+1 for using a server.
No unity game will be able to override the system clock of the users device, or prevent the user from changing the system time, so the only way to prevent "time hacking" would be to get the time from a server that you control.

 

Ah, but unless you also secure the connection to the server, that's also easily spoofed (I thinkI can do that right here on my own dev net by using this shiny new Raspberry Pi and an edit to the dns lookup table ). And if you secure the connection, it's merely not easy to spoof, but inherently spoofable (I'd just take it to the cellar where my godson spends his day hacking away).

 

Not if you dedicate authoring to the server, and only record input / logins.
Server should check for all legal actions. Not just accept, whatever client sent.

But perhaps we are beyond scope, of what OP requires. OP want purely offline.

 

Could be doable, but it's a *lot* harder than just changing the system time! For just preventing casual cheating, I don't think securing a server against a spoof attack would really be necessary.

 

In fact, ALL security is simply a matter of making it harder for a the bad guy to do a thing. It will always be possible for your security to be broken.