I've been doing a little digging around on what can be done about hackers and piracy, though mainly through another game engine. A few concepts that were brought up for this - offline was password protection for game data, and an online was saving the data through a server- which would be the best option if you could afford it. I'd like to build games for android or IOS, but I want to make sure that, when I ask for the players to watch an add or purchase an item, they couldn't simply hack into the game and steal it. Are there other options I am unaware of? Does Godot offer features on this? While I didn't add any tags for this, I would program in GDScript, if it matters.

I've only done a little experimentation in this area in a game I'm working on.

On startup, the game sends a key to a web server script that checks whether the key is valid. Currently, the game only displays a valid/not-valid indication. But that could be changed to exit the game if the key is not valid. (Web hosting accounts are not expensive.)

The configuration data and saved games are encrypted.

A determined hacker could probably analyze the game's code and defeat all of the above.

Seriously, though. It's a losing battle. While Godot does support encryption, and you could invent some scheme with an online server, the whole issue is that the game files are stored on the attacker's device. So, for example, if you encrypt some data in the package, you also have to include the decryption key with the game, giving the hackers full reign. It's impossible to solve.

Lots of studies have been done, and piracy doesn't actually effect sales as much as you would think. Yes, lots of people download stuff illegally for free, but chances are they never would have been paying customers in the first place (people that pirate generally don't pay). And the more DRM you add to the game, doesn't actually defeat the hackers, because they are most likely more skilled than you at security and will crack your DRM in a day. But it does inconvenience your actual paying customers. This has been documented with Denuvo on games like Resident Evil, Mass Effect, and Assassin's Creed. Which actually caused people to pirate more because the bootleg version had better performance and was a better experience.

So I don't think it worth wasting too much time on. These people will never pay for your game, you're not actually losing money from them. But you might lose money spending time devising some security features that won't work, or spending a lot on proprietary DRM that will hurt paying customers. So really, don't bother.

It is a lose-lose situation, I admit. I was just trying to come up with a way to prevent an average joe from doing it.

And what about stuff like ad blockers? People with a simple ad blocking system would prevent one from getting paid for letting them play the game, period. I don't mind letting them play, but I don't want them to get the rewards for blocking, either.

Not totally sure how usable it is outside of admob, but this Stackoverflow seems to indicate that, for admob, you can detect if there is an ad blocker: How to prevent ad blocker from blocking ads on an app. I imagine it may be possible to detect other ad blockers with similar methods, at least those that do not operate on an OS level. For OS level ad blockers, I'm not totally if it would be detectable as it may reroute the ads on a level low enough that it's hard to detect via code. (Please take with a gain of salt! I'm not really experienced on this kind of thing)

@TwistedTwigleg said: For OS level ad blockers, I'm not totally if it would be detectable as it may reroute the ads on a level low enough that it's hard to detect via code.

I doubt the average joe's are setting up rasp-pi based pfsense ad-blocking firewalls. So it might be good enough.

@Megalomaniak said:

@TwistedTwigleg said: For OS level ad blockers, I'm not totally if it would be detectable as it may reroute the ads on a level low enough that it's hard to detect via code.

I doubt the average joe's are setting up rasp-pi based pfsense ad-blocking firewalls. So it might be good enough.

True! At that point the time they are spending getting ad-blocking firewalls probably is more time then you'd want to spend trying to stop them. If they are that determined, they'd probably just find other ways around whatever measures you put in place.