(Webservice Implementation) How to prevent hacking/damage exploits?

[quabbies]

I bought the asset and have been looking it over, but have a question about preventing exploits. I'm targeting mobile android/ios devices.

With the webservice, I see that all damage etc is still calculated on the unity code, and only the final result is pushed to the webservice and subsequently the db.

If this is the case, what is stopping someone from just authenticating, and then POSTing incorrect data (ie saying they won against a player, etc) to the webservice?

If all damage is only checked in the client, what is stopping a user from downloading the apk, reverse engineering and manipulating their character's damage on a modified client? In that case they would still be authenticating through the service and would be able to pass fake results (damage dealt in a battle, etc) to the service, right?

[insthync]

I see, it has no that part yet, do you have any suggestion to implement it?, may have to connect to a server to send attack packet to validate?

[quabbies]

@insthync Yeah, somehow the functionality for calculating damage, deducting health points, taking damage, etc would all need to be moved to the webservice or server. Otherwise any game built on the platform will be vulnerable to hackers just through something like POSTman I think.

I don't think it would be easy, to be fair. But competitive aspect of the game is easily compromised without any damage validation. IE in clan raid users could just POST an insane amount of damage and the webservice will trust it.

To move forward with this template for my game it would likely be a must, and I would pay for it, but I don't know if its within the scope of what this template aims to achieve. I certainly think it would be a huge value-add to be able to advertise the asset as authoritative