How to prevent application from hacking tools?

Hi,
I created an application where some users hacked points using some hacking toots or software.
How I prevent my application from any hacking tools or software?
I using WEB API.

Can you please show how your API works? Do you make POST requests to the API to for e.g. add more points?

Yes. I make post request. But some users using hacking tools software where the put points what the want.
I want to prevent from any hacking tools where they are not able to put points what they like.

Encrypt the url.

Or, make the tag less suspicious like instead of “points” write something gibberish like “jisfjfoij” or “points” in your native language etc. Still not a better solution then the above one tho

2 Likes

But it may not prevent from hacking tools.

anyway, Thanks

1 Like

No service is a 100% secure.

6 Likes

Its Wrong…

Unfortunately, it is true.

They are hack-able because even important functions are done by app itself
Important functions should be done on server side
Almost (I think 100%) every app made with Kodular don’t it from server side

I think Kodular should bring FireBase Cloud Functions (component)
Or any extension developer may do it
see 0:22 in this video

Hack these and I will agree with you
8 Ball Pool game points
PayPal balance
Youtube views
etc…

Because the are done on servers
Not fetching number from firebase and process that number on users device and send it to firebase

You can hack games likes Subway Surfers because the function is offline
You can find modified Subways Surfers APK on internet with 99999999… coins

2 Likes

You are right.
The most hackable app/games they are offline or store values offline.

As long as all the data is stored and validated on the server and the client is simply displaying the info and passing the commands over - no. There might be some wiggle room in how the network packets are constructed - but thats a design flaw not a hacking exploit.

The tools available to you are:

sniff the incoming data and look at the call payloads

sniff the outgoing data and look at the call payloads

modify the incoming data

modify the outgoing data

If you modifying the incoming (to your phone) data then your game might end up displaying more of whatever you hacked but the server still knows. When you try to spend it, let’s say coins or gems, the server will fail the validate the command.

Hacking the outbound packets might help you if the server ever listens to the client. Well constructed games do not. We assume every client is hacked and act accordingly. At most, the server will reject the commands after it tries to process them. You will see that just the design has been changed and not the actual value and when you restart the game, all the values get back to original.

There are a few things you can do to the packets that might cause issues. I won’t get into the details but you might be able to trip an overflow if you play with the right toys. However it is highly doubtful that would be helpful to you. Odds are you’d just corrupt some game data. That is really easy to detect since all those calls are logged. So it would be patched quickly.

3 Likes

Hacking tools using to increase points in the game , but i using server side to store every users points. Where i am able to validate every users activities. But i want to stop user may not able to increase points as they like.
As there are many false request which is badly effect server side. So it is most important to stop false request from application.

Nothing is impossible today and nothing is being secured from hacking even if you know jeff bezos whatsapp was hacked, famous song “despacito” from YouTube was hacked so if you secure app from hacking than encrypted is a good option so you can confuse the tools to hack your data. I think you understand :grinning:

Encryption url? or what thing you mean to encrypted?

You can encrypted what you want to secure . For example : - if you call anything from online database like airtable so call it and encrypted it when you want to show data then decyrpted that or you can store something encrypted data in airtable or any database and when you call data on your app than decrypt it and show .
You can use this extension for this purpose - click here