I recently was surprised to find out that it's possible to replace a cached applet with another modified version. I was able to decompile my cached game applet, recompile it with an modified version (that fx send a very high score to my score upload script), place it back in the cache directory and the jvm would just run that modified applet!
(I always thought the jvm used the hash from the cached jar to compare to the one on the server, if they wouldn't match download the server version and run that one instead)
I know I should obfuscate the classes to make it more difficult (I already did this), but any decent hacker would find out where the uploading part takes place anyway.
The problem seems to be one that many of you have encountered before (but i've never really read anything about it) How can the server tell the score it receives is really from the untampered applet? I got the communication part all encrypted and 99% waterproof, but that obviously wont stop an tampered version from sending the correct data.
I've thought of 2 solutions, but I find both a bit clumsy:
1.) use a burnt-in key for each game downloaded. This gets injected before each download, so decompiling wont help because the next time you start it it will download another applet with a new key. This is ofcourse a costy operation on the server (id have to modify the class each time someone wants to download, further I couldn't sign the thing and it would take much more bandwith as the game can't be cached. Or a similar approach to use a rotating key (have fx 100 versions of the game all with a different key in them, still not practical and more easy to hack)
2.) use a loader class thats loaded from a different url each time. I believe the jvm caches files relative to the url they came from (so /123ab/loader.jar would be cached seperate from /123cd/loader.jar) so if we could make that url variable each time the loader will never be cached and we'd be sure its the untampered version that runs. (i haven't tested this yet)
Im sure there must be some better way of cooping with this. I mean I can't believe sites as pogo that offer big $ for highscores take the risk that some smart hacker being able to run his own version of their applet...
Any help is greatly appreciated!