High Scores

Discussion in 'iOS Programming' started by glmonte, Mar 20, 2009.

  1. glmonte macrumors newbie

    Joined:
    Oct 21, 2008
    #1
    Hello guys...

    What is the best way to implement high scores submission in a game from the security perspective? I'm planning to use NSURLConnection with encrypting the data, but is this secure enough?

    Your opinions are welcome.
     
  2. wonza macrumors member

    Joined:
    Oct 15, 2008
    #2
    I've implemented it by just posting a URL, but I've put an extra parameter on the url and on the submition ensure that parameter exists.. I've also put the submition page so its not linked from anywhere on my site.. its probably easy enough to hack using a network sniffer, but so far I've not had that problem. If anyone has a better solution I'd also be happy to hear it :)
     
  3. mpatric macrumors newbie

    Joined:
    Oct 20, 2008
    #3
    I strongly suggest hashing (using CRC, SHA, MD5, etc.) the URL and some shared secret (like a phrase, or a number), then checking the hash on your web server before accepting the high score.

    For example, if your high score submission URL is:

    http://myserver.com/game/highscore/submit?score=234598&username=Bob

    You might hash the string "score=234598&username=Bob+MYSECRET" to get 994fe75b299277b7d451bea3a94dfc4a (this is an MD5 hash).

    Then, the full URL to post to your webserver is:

    http://myserver.com/game/highscore/...ame=Bob&hash=994fe75b299277b7d451bea3a94dfc4a

    On your web server, strip off the hash code, do the MD5 hash again and check that it matches. If it doesn't, then ignore the request.

    Without a simple check like this your high score submission mechanism can EASILY be abused. It is more difficult for someone to generate a valid URL without knowing your shared secret and your exact hashing mechanism. Note that if the shared secret is a string, it could be found quite easily in your binaries, so try make it not look like something obvious (like MYSECRET) - or better still, generate it from something constant that is perfectly recreatable on the web server. There are many possibilities here.
     
  4. martay macrumors newbie

    Joined:
    Oct 1, 2008
    #4
    I almost second mpatric's post (it's missing one piece). This is similar to the way I do high scores. It has 3 weaknesses: cracking the encryption itself (very hard), disassemblying the program from a jailbroken iphone and extracting the hash secret (very hard), and somebody resubmitting the same high score thus filling up the top 10 with the same name and score (very easy).

    To fix the 3rd issue, submit a timestamp (with the timestamp included in the hash). If you see 2 of the same timestamp, drop the second request.

    Code:
    #import <CommonCrypto/CommonDigest.h>
    
    ...
    
    NSString *secretCookie = @"lksab8xd7FdjdsD3"; // CHANGE ME!!
    NSTimeInterval timeInterval = [[NSDate date] timeIntervalSince1970];
    long timestamp = (long)(timeInterval * 1000);
    int hashSize = 20;
    unsigned char hashedChars[hashSize];
    NSString *strToHash = [NSString stringWithFormat:@"%@%@%d%d", username, secretCookie, score, timestamp];
    CC_SHA1([strToHash UTF8String],
    [strToHash lengthOfBytesUsingEncoding:NSUTF8StringEncoding], hashedChars);
    NSMutableString *hashedString = [[[NSMutableString alloc] init] autorelease];
    for (int i=0; i<hashSize; i++) {
      [hashedString appendFormat:@"%02x", hashedChars[i]];
    }
    
    send hashedString along with the rest of the query.

    And, on the server side, you must verify the hash (for example, in php):
    Code:
    $secretCookie = "lksab8xd7FdjdsD3"; // Same as above
    $hash1 = sha1($username.$secretCookie.$score.$timestamp);
    if ($hash != $hash1) {
      die("Hashes do not match!");
    }
    
     
  5. mpatric macrumors newbie

    Joined:
    Oct 20, 2008
    #5
    Yep, I didn't think about that! Good point.
     
  6. mccannmarc macrumors 6502

    mccannmarc

    Joined:
    Aug 15, 2008
    Location:
    Manchester, UK
    #6
    If you don't mind using someone elses server and being listed on their site as using it cocoslive is pretty damn good
     
  7. ethana macrumors 6502a

    Joined:
    Jul 17, 2008
    Location:
    Seattle, WA
    #7
    This is a very good post, thanks for this! I was in a hurry to get my app out the door and was just doing a simple POST to a URL on my server for the high scores. Now I'll implement these ideas in my next update.

    Thanks!
     

Share This Page