App Security Questions

Search This thread
By:
Advanced…
I

indiePro

New member
Feb 22, 2014
2
0
Hi guys! I'm new here, this is my first post and I'm happy to be here. So I'm working on an android app where the main driving dynamic is to get the highest score possible and that is stored in a high scores database that everyone can see via internets. So my main question is, how secure should the app be on the player end? Should I do something in code to check to make sure the app isn't manipulated(check for impossible movement, shooting, final score is accurate, etc.), in order to make sure that the high scores are not compromised in some way?

As I said, getting the high score is what will mostly be encouraging players to play the game and spend money on in-app purchases to give the player more abilities and power, giving them an advantage. I may just be paranoid, but I mean I try to be thorough, goes with the line of work I think ;) Thanks ahead of time for any and all input on the subject.
 
P

painlessDeath

Member
Feb 7, 2013
17
22
sunnygoyal.com
I could think of security at two levels:

Hacking the app code, to generate high scores which are then sent to the server.
Hacking the server protocol to just send the highscores without using the app at all.

If a person can hack the app code to generate high scores, he can as well hack the protocol and send random scores without using the app.


One option could be to send the app signature (http://stackoverflow.com/questions/8682731/retrieve-the-apk-signature-at-runtime-for-android),
the users score and some other obfuscated data to the server, so that it makes it really hard for someone to crack the server-client protocol.

Then on the server, verify that the signature is correct.
This way, even if someone modifies the apk to generate random scores, they will have to repackage the app, and will end up having a different signature.


Note that you are not storing the signature file in the app and the signature verification happens on the server (which essentially "cannot" be hacked)
 
  • Like
Reactions: indiePro
You must log in or register to reply here.

Similar threads

A
[GUIDE] Android Client-Server Communication (PHP-MYSQL REST API)
Replies
112
Views
87K
C
Cooper Bryant
Quinny899
[GUIDE][IDEAS] Protecting your app from the main piracy circumvention methods
Replies
143
Views
54K
J
jamilshah20
nikwen
[GUIDE] Signing and zipaligning your app
Replies
54
Views
45K
M
md.sazidul islam
stepic
How to write to SMS Content Provider in Android KitKat WITHOUT being default SMS app
Replies
5
Views
27K
D
Deleted member 267841
nikwen
[GUIDE] Debugging apps
Replies
59
Views
22K
nikwen
nikwen

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 1
    P
    painlessDeath
    I could think of security at two levels:

    Hacking the app code, to generate high scores which are then sent to the server.
    Hacking the server protocol to just send the highscores without using the app at all.

    If a person can hack the app code to generate high scores, he can as well hack the protocol and send random scores without using the app.


    One option could be to send the app signature (http://stackoverflow.com/questions/8682731/retrieve-the-apk-signature-at-runtime-for-android),
    the users score and some other obfuscated data to the server, so that it makes it really hard for someone to crack the server-client protocol.

    Then on the server, verify that the signature is correct.
    This way, even if someone modifies the apk to generate random scores, they will have to repackage the app, and will end up having a different signature.


    Note that you are not storing the signature file in the app and the signature verification happens on the server (which essentially "cannot" be hacked)
    View

New posts