0

I'm pretty new at making online games. Right now I'm trying to make an iPhone game. Each player has a profile in my server.

I want to avoid username/password for authentication. Currently, as it stands, when my game is installed it also generates an unique key string and safeguards it in the device. When the player runs the games and needs to perform an action, the action request is sent to the server - along with the key to validate the action.

This is done with an HTTP request, and is working fine.

The thing is, I'm not sure about the security implications behind this. Suppose that a seasoned cracker manages to discover their own key string (if it is stored somewhere in the device I imagine it is always possible to crack), and also identifies the HTTP request schema. They could technically create their own program, use the key string, and send requests to my server and effectively automate several tasks.

For example, let's say that you discover that your key string is 12345, and you also realize that the HTTP requests are like this

http://www.example.com/getcoins.php?key={KEY}

Well, now you're capable of making a nice program automating

http://www.example.com/getcoins.php?key=12345

So then I considered doing something like cookies. As if, the player authenticates using the key string and then the server returns some "session ID" which is stored in the device. The session ID must be used to validate actions. But I'd imagine this would cause the same issue: the cracker just discovers the session ID and off they go.

Saturn
  • 1,771
  • 11
  • 39
  • 65
  • That's basically the same question as http://gamedev.stackexchange.com/questions/4851. You're trusting the client here and that's something you shouldn't do. The game-logic should be on the server and the server is then the authority to decide whether or not a player gets a coin or not. – bummzack Sep 30 '14 at 12:09
  • Pretty much what @bummzack said. By this rational you're letting the client control server-side operations, which is something you should never do. You would want to formulate it to work more like,###Client->My I have some Coins?->Server### ###Server->NO->Client### instead of ###Client->I deserve coins->Server### ###Server->Ok here->Client### – Joe Swindell Sep 30 '14 at 15:58
  • @JoeSwindell, let's say the game is about pressing a button, and you get a coin. This HTTP request seems perfectly reasonable in this scenario. The problem is that the player might be able to identify the schema and make their own separate software to automate such task, rather than using the official app. – Saturn Sep 30 '14 at 20:18
  • @Omega it is literally impossible to stop players from doing that. You might ask "how can I make this as difficult as possible?" instead. – user253751 Oct 01 '14 at 03:54
  • @Omega I think you might need to do some more research on client server communication when it comes to games. If it's sent over http I can see everything you are sending. So it doesn't even take a seasoned hacker like you suggest. It takes someone with firefox and some plugins, or just wireshark. – Joe Swindell Oct 01 '14 at 12:51

0 Answers0