So, I started researching the different leaderboard services that have appeared scoreloop, openfeint, igetscores, agon, gecode and for my current project I decided that it was best to put together a simple, internal solution. I couldnt find much discussion on the forums about supporting a high scores web service, other than talk about the different social networking services I mentioned. Are many of you doing this yourself? Is it something you think is better to hand off to a dedicated party, even if you dont use all the extra feature hooks they offer? As an offshoot of some playing around Im posting a 2-part tutorial on my blog about how I approached this with a Rails web service (shameless blog link); although the 1st part is just basic iPhone SDK techniques (probably inelegantly done at that), the 2nd part may be of interest, and heroku.com offers free Rails hosting so its a good place to experiment with no cost but your time. I assume other developers choose an existing service either (1) because its probably faster than implementing one personally, and (2) because it provides access to social networking features, and maybe some useful analytics as well. I think I may be a little library-/cloud-phobic in this regard, and would prefer the simplest solution, and one that I totally control. I guess its also just a bias on my part that I assume high scores are pretty much always a valuable addition to a game. Anyway, has anyone here developed a good leaderboard themselves?
I developed my own leaderboard with PHP, MySQL, and HTML written in Notepad on my windows laptop. This stuff runs on my own webserver. Seriously, I dislike the lack of control that other options provide. I don't like all the social networking and chat options because they detract from, you know, actually playing the damn game! There was not much competition out there back when I did this either, but my opinion still holds true today. You can see the leaderboards for Rogue Touch here. Global high scores definitely add value to any game, and I'm glad I set it up. My next generation of the online component will be more advanced than just high scores, but I can't talk about that new game just yet
Yeah did my own. Simple bit of php to query and update a database, and iPhone code to 'POST' data to website. Uses udid to reference the database. Dead simple really (I thought anyway ...)
Ah, it looks like I basically fell onto the same page as the both you about how to implement this. And the Rogue Touch listings are pretty sweet. I like the spread of rankings so that more players get a chance to appear on the boards. It also suggests 'minigames' played around the different ways you can rank. Nicely done.
Did either of you put any work into preventing people from cheating? I'm just curious because I've thought about this myself and it seems like it wouldn't be very difficult for someone to craft their own fake POST request and give themselves a really high score.
It's possible but you have to think of the market. Most people aren't going to take the time to do what's necessary to find out what their iPhone uploaded to fake a score. As with most hacking the vast majority of people aren't going to bother and the ones who do usually like the challenge of beating your security which is what attracts them in the first place. Also, it's trivial enough to add encryption to your data and decipher it on the server.
Yes I put thought into preventing cheaters (as well as people posting scores with swears in their names, since my game is rated 9+)... All implemented nicely, also included a geo-location IP address lookup to assign country flags to players (no need for GPS!). The relevant terms you want to look up are MD5s and hash and salt Oh, and thanks for the compliment on the Rogue Touch leaderboards Travis, you're right... the format I chose lets a variety of people with differing play-styles to get a ranking place on the boards. Plus I can set up contests with minimal effort: just generate a new SQL Query and PHP script, then post about it in the forums and you're off and running
Besides the MD5 hash and salt I would recommend using some sort of cryptography to avoid exposing your salt in the binary. For example a simple substitution cipher (link).
Exactly. I also have a ban list so I can ban anyone by UDID. This stuff isn't rocket science if you do some homework on it... put a couple of days thought into it and almost anyone can make a solid leaderboard. xother's suggestion is one you must not take lightly either. I know that some pretty rabid fans of my game got tired of trying to guess secret character names from hints I was dropping and decided to read through my binary for strings with a hex editor!!! Needless to say, in the next update I encrypted all secret character names *and* the names of the classes/methods that enabled their special abilities. Unfortunately I learned a hard lesson as my version 1.0 characters were compromised. However, as I added new secrets in each update, no one was able to do the same trick again
Ok, I posted the second part of my leaderboard tutorial, which includes building a web service in Rails. You'll need to have or gain a cursory knowledge of Rails to set that up, but it's pretty typical web development stuff. To that end, I recommend deploying to heroku.com, if for nothing else other than testing since their initial hosting plan is free. CommanderData and xother, your comments about the binary being vulnerable are exactly right. Encryption would be a must for any serious online ranking. Anyway, I hope this is helpful to some of you, and that I haven't made any flagrant misuses of the SDK in the code.
I rolled out a home made highscore service with LAMP, but the next update will switch everything to OpenFeint. It has the benefits of discovery, friends, and acheivements with very little effort.
Hi Travis Thanks for sharing your code and project with us, I actually have a similar rails app (http://smackbots.com/wwsc) that essentially does the same thing for a high score leaderboard. Eventually I would like to integrate Twitter and Facebook but just haven't found justification that doing that is going to be worthwhile. Here's another thing I had an issue with when I was implementing my own solution, what ways can you stop someone from taking the post request/params and posting multiple times with the same score/name and salt hash? That would still go through and insert that same score for that same player, right?
To prevent that, you'll have to send something unique for every request along. For example a hashed timestamp + salt (a number) and the original timestamp. As long as the salt isn't hacked only your app can create a valid hash.
Anything you want to secure from tampering, throw into the hash. Because every value in the hash will be required to reconstruct it correctly, you could add a date value to parameters submitted, and require submission dates to be sufficiently unique on the web service end. You may also want to cap the slots a single player can occupy in your rankings.
Another shameless blog plug here but we're also using Rails although not on Heroku -- we went with a fixed price VPS hosting service running the Rails app and our website, together. One of the nice things about using a custom leaderboard is that you can add your own social networking features. We've integrated Facebook (both on iPhone and server side) and thinking about Twitter. Plus we create a funky custom game view for each user that they can email to their friends -- like displaying badges of their accomplishments. In other words -- I'm convinced custom leaderboards are the way to go, but why not add more social features into yours? --yarri PS: Have you seen the ObjectiveResrource class for the iPhone?