There’s been a flurry of news recently about how a recent video game, Ubisoft’s The Division, is easily hacked. I hadn’t paid too much attention to this, largely because it’s not a game I play, but today’s post on ArsTechnica caught my eye because of just how bad the fundamental design of the game appears to be–and how it highlights an important consideration when working on modern apps (including APEX!).
The Division is a modern multi-player game, which basically means that it’s running a straightforward Client/Server architecture. This should be easy; we’ve been doing Client/Server for a very long time now. The problem, though, is that Ubisoft seems to be using what’s called a “Trusted Client” system–the servers, which Ubisoft controls, trust the users’ clients to tell them how much ammo they have, how much health, and so on. But Ubisoft doesn’t control these clients; the players do. And so if a player figures out how to “adjust” how much ammo their client thinks they have, that gets reported to the server, accepted, and, well, you’ve got a broken game.
(The upside of trusting the client is that it improves the feeling of “responsiveness”–since the game client itself knows whether you hit your target, it can draw in the appropriate feedback immediately, rather than waiting for the server to tell it what to do. But needing to do this implies that your server isn’t capable of processing all of the data it needs to quickly enough–and thus that you’ve got other problems!)
The correct implementation, of course, is to only trust the data that the server has full control over. If the client reports that it is shooting even when, according to the server, it doesn’t have any bullets, then the server tells the client “you can’t do that” (and, potentially, adds the client to a list of potential cheaters for review).
APEX applications should be built the same. All interaction with the user (forms, dynamic actions, etc.) should use the server as the source of truth; it’s trivially easy on modern browsers to change the value of HTML items, even hidden ones. Luckily, APEX provides us with several tools to catch this sort of chicanery in the form of page/item access protection and checksums. Unfortunately, however, most of these security checks are turned off by default–you need to remember to turn them on yourself. The good guys over at Recx have a tool called ApexSec that will help you find these sorts of things. Check it out. And lock down your important apps.