Facebook Apps are annoying. Most of them at least. I’ve added a few for fun, but will probably remove most of them in the future. One such App is the Pets application. It’s behaviour is two-fold, on the one hand it’s a pet that you can show off on your page (not really — see 2nd point), and you can also dress it up in armor and weapons by fighting monsters and leveling it up (RPG aspect).
It’s not a very sophisticated RPG, and after playing it awhile I basically understand how it was implemented. The game relies heavily on equipment as it provides you with damage and armor. The damage you deal is basically within a range minus your opponents armor. I have a pet whose armor is decently high, but damage is quite low; so in order to kill enemies, I have to click many, many times (you click once for an attack and another time for defend). It is because of this endless clicking that I got pissed off and decided to hack the game.
One of the problems with these Facebook Apps is that a ton of people are using them at the same time; usually that overloads the server. So when you design the app, you probably want to minimize the amount of requests to the server. If you’re building a fighting app which involves tens of clicks each battle, you probably don’t want to ask the server for information on each attack. After some investigation, I found out I was right; Pets computes its fight results on the local computer. After that, it was an easy jump to execute some Javascript to instantly kill any monster I faced.
Anyways, the morale of the story is to never execute secure code client side, you can’t obfuscate security as someone will spend some time and hack it.