Been playing your game since inception and before that Puzzle Quest for Nintendo and PC.
One thing I hope you guys can please do is have this game playable without internet. Perhaps every other feature besides PVP and Arena can still be played offline and when we go online it will update our account info.
I don’t know if it is possible but the only reason I am not playing more of it is because of that. Just saying ^^
That would probably be too easy to exploit. The client could be hacked to say, “Sure, I played 200 games over a reasonable interval,” and there’s no way the server would be able to tell. As well, the server makes all loot determinations (including traitstones) and moving that client-side could compromise the integrity of their system.
I would love some offline-only play, but it’d come with some hard problems to solve.
Cheating could be a problem, but solvable using the right encryption techniques. This isn’t the type of stuff your normal programmer could do easily and I don’t know if free libraries exist for this. Paid licensed ones do.
I haven’t followed this type of stuff in a while but am aware of the problems and solutions, just not on the implementation level.
Hmmm, double handshake encryption with new keys every time you do connect to the server. Possibly not hard to do but a lot of work.
Yeah, I’m not saying it’s not solvable, but moving server logic client-side is a deceptively huge effort.
Note that although I’d love offline features, the size of the App is important to me as well. And it’s bound to triple in size (or worse) with significant features
Actually… I don’t think this is solvable in theory, unless you have some way of ensuring that you can trust the client. It can probably be made difficult enough to discourage most people, but if you hand someone the code and the keys necessary to perform the encryption, and let them run it on their own hardware, then they can reverse engineer it and create code that returns the correct responses. That’s what “trusted computing” is supposed to solve, by storing the private key and performing certain operations only on the chip. Consoles typically use a similar mechanism, but in both cases, it all depends on keeping the key secure. If someone does manage to extract the key, then they can create responses indistinguishable from that produced by the original code.
Obfuscation can make it more difficult for a human to analyze the code, or the program running in memory, but it can’t prevent it. If your device can run the program, then you’ve got everything you need to duplicate its output.
You don’t think because you don’t know.
There are easily available encryption techniques that handle all of that. Have been for over twenty years. I’m just not sure if there are free or cheap implementations.
id like to see offline feature even if it takes more space, maybe as an alternative (bigger) app to download 
but yeah the problems for devs you talking about are even worse then mentioned due to crossplatform character of the game - they would have to make the whole thing for every platform over again which is… a nightmare.
I don’t think it will get that much bigger. Compiled code and textual data are surprisingly small, so most of the storage size it takes on your device is for the graphics and sounds (mostly graphics actually). Even if the codebase is tripled in size, the effect it will have on the app size will not be very noticeable.
No, @Spherix is correct. This is essentially the “DRM problem,” insofar as the client-side protected data is only as secure as the key material, and it doesn’t matter what algorithms are used for encryption. You can make things hard (by obfuscating the key material) but never intractable.
Both are dead on. The ironic thing is that an “offline mode” could probably be safely deployed on the console (a closed system)… where its not really needed.
No its not the DRM problem because you’d get no xp or loot until after you reconnect. You don’t need to make offline mode more secure than online mode, which is the scenario you are imagining.
The data stored locally on the client needs to be protected from tampering while offline. Since that needs to function entirely without access to the server, you’re relying on client-sourced secrets to modify the protected data. That path is vulnerable, as the private key is stored on the client.
I guess you never heard of public key encryption?
Absolutely have. You’re not actually addressing the point, though.
Then why did you say private key stored on client was vulnerable you said you know what public key encryption was?
Because a private key stored on a client is always vulnerable. A stored public key is fine so long as you are only interested in protecting against man-in-the-middle and don’t care if the machine user can decrypt at will; a stored private key, if found, enables spoofing and tampering in addition to data access. Your security becomes as good as your ability to hide the private key, which becomes an exercise in obfuscation. Finding the key is typically much easier than brute-forcing it.
You don’t decrypt with the public key. And you dont store the private key on the client. You might want to read up on public key encryption because you obviously don’t understand it.
No, you definitely do decrypt with a public key and encrypt with the private key (in asymmetric encryption at least). Which means you can spoof/tamper if you find it.
You might want to read up on public key encryption, because you obviously don’t understand it. 