I've been asked this question a large number of times, and they're often followed with other questions like why not make stick arena in Java/AS3 so it can't be hacked or why not use mochicrypt, which don't address the real issue, which is what I'm going to write about to illustrate here.
First we must understand how Stick Arena players communicate with each other, which is through a model called client/server as it's all that flash supports, what this means is all the data passes through a server before going to the other people
In this diagram, what XGen has control over is inside the green rectangle, everything outside the green rectangle is controlled by the owners of the respective computers. One of the biggest issues of that of authority, as in who decides what to do, in the original Stick Arena everything was decided by the clients.
The issue with this is anything outside XGen's control can be modified making it so malicious clients could overwrite what decisions/actions are being made
The way to fix this of course is to move decisions inside the rectangle of control(otherwise known as making it server sided)
So why not move everything to the server you ask? Well there's 2 big reasons, the first is the issue of latency, or as most people call it lag, which is the time it takes for an action to reach the other players, and for their actions to reach you. This is calculated by adding up the time it takes your action to get to the server, plus the amount of time the server processes the action, plus the time it takes for the action to then go from the server to the other player(and vice versa for the other way around)
Every check done by the server adds processing time for the action to reach it's destination. For some things like how quickly a player is attacking this check has a very small processing time, and for other things that have a larger processing time(like getting more cred), a delay is okay(we even trick you by hiding the delay with the scratch card animation), so it's why they're server sided, and more checks with small processing times will be added as soon as we finish them. The problem with some of the bigger hacks, are some checks(mostly tests to see if you're allowed to walk where you're going, or if you're being hit) are expensive and if implemented on the server would result in a much longer delay between you making an action and your action being performed on the other players screens(if you guys have played Super Smash Bros Brawl online you'll know what I mean), resulting in a much worse player experience for legitimate players.
The second issue is that the client that you guys play on is made in flash, where the server is in java so a lot of the logic has to be rewritten as they're pretty different languages. As well as that the logic has to be written differently to compensate for the transit time of the actions. Because the server programmers aren't dedicated to the Stick Arena project(we work on other projects too), server programmer time is a bit of rare commodity and it's why server updates are much less frequent than client ones.
The last question is what about obfuscation/encryption(mochicrypt/amayeta/etc), and there's a couple of reasons why this doesn't stop hacking. Ballistick uses an in house obfuscation system, the reason for this is, because Ballistick is really big, and pushes the flash player to it's limits, a lot of obfuscation programs add to the size and push it over the limit and makes it so the game doesn't work, which is kind of a big issue. The second issue is even though it's encrypted/obfuscated it doesn't change where the decisions are being made, so they're still overwritable and it just makes it take a bit longer to find.
Hopefully this was insightful and easy enough to understand.
