Re: Securing Flash Games.

[Robert Larsen <robert () the-playground dk>]

Ok, the only way I can think of is to run the game on the server and 
just let the client side show the current status and accept requests for 
changes from the user, but as Tim Clewlow says this will add a 
performance and network penalty which might not be desireble.

I work for a company that makes Java based games, and we face similar 
problems, and we more or less rely on obfuscation and scripts that check 
"strange" behaviour. This is not perfect, but works well enough.

The games are obfuscated using Zelix KlassMaster 
(http://www.zelix.com/klassmaster/index.html), there are probably 
something similar for you Flash developers, and we handle applications 
such as CheatEngine (http://www.websiteweather.com/) by moving values 
around in memory and having a copy to check whether or not the real 
value has changed.
We move the values by allocating java.lang.Integer objects instead of 
using simple types and then allocating new Intger objects every time a 
value is either checked or changed. The copy is also changed by simple 
XOR just to make it harder to find and change that too:

Random r = new Random();
...
Integer value = new Integer(100);
Integer permuter = new Integer(r.nextInt());
Integer copy = new Integer(value.intValue() ^ permuter.intValue());

...
if (value.intValue() != copy.intValue() ^ permuter.intValue()) {
  cheatDetected();
}

...something like that.

All our traffic is encrypted to make it harder to snoop on. These 
suggestions are all just security by obscurity but actually makes it 
veeeery hard to bypass.
I don't know enough about Flash to make recommendations but maybe you 
can do something similar.

Good luck with it :-)