A big “thank you” to all who participated in my last question, it’s been very helpful.
A little background before today’s questions: We’ve had a mobile game pretty much completed (plays well, testers love it, etc.) for several months, and are now deep in the process of - for lack of a better word - packaging it for release. By packaging I mean doing things like setting up servers for the back-end, trying to figure out fraud and cheat prevention, figuring out how to validate server-side that the game was actually purchased, etc.
It should be made clear that this discussion is not necessarily about programming, but rather about the business and logistical end of publishing a game.
So if you followed my last question/discussion, you’ll know that I have moved much of the sensitive processing and storage to server-side, to prevent simple cheats, etc. So far it’s been working great in our testing.
My new model for the game is (was?) going to be that anybody could play for free and they would see ads. If they decided that they wanted to participate in leaderboards and multi-player matches, they would have to register a free account (through the game, stored on the back-end servers). They would still be seeing ads until they purchase the paid version of the app, but they could enjoy the multi-player, etc. The servers would do things like track sessions, log prior sessions out automatically if a new session started for that login to prevent account sharing, etc.) So that’s all working well now.
Here is the meat of today’s discussion/question: By adopting this new approach it solves several potential issues (see prior conversation). But overnight a terrifying thought struck me… it is fairly trivial to analyze the network traffic and see how our servers operate. If someone wanted to clone (or even just imitate) our game but didn’t want to set up their own servers (or didn’t know how) and simply kept sending info to OUR servers, there’s no real way to be sure that the traffic is coming from OUR app. Which means not only would we be assisting the cloner with their copy of the game, but would also be incurring expenses for bandwidth, etc. and losing profit.
So far, I can’t think of any way to ensure that the traffic coming in to the server is from a legit copy of our app UNLESS we change our strategy and allow participation in leaderboards and multi-player ONLY to people who have purchased the paid version of the app, and then as part of each login we’d re-do the receipt check with Apple or Google to confirm. This is not my preference because I’d like to allow people to play the multi-player game without purchasing in exchange for seeing ads, but now it looks like it may not work based on this reasoning about the servers.
Does anybody have any ideas on how to restrict/validate traffic to servers without doing what I described above?
On a side note, does anyone know of any books or websites that help new publishers navigate these type of non-programming game app decisions?