Post Reply

App Security Questions

OP indiePro

22nd February 2014, 08:06 PM   |  #1  
OP Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Feb 2014
Hi guys! I'm new here, this is my first post and I'm happy to be here. So I'm working on an android app where the main driving dynamic is to get the highest score possible and that is stored in a high scores database that everyone can see via internets. So my main question is, how secure should the app be on the player end? Should I do something in code to check to make sure the app isn't manipulated(check for impossible movement, shooting, final score is accurate, etc.), in order to make sure that the high scores are not compromised in some way?

As I said, getting the high score is what will mostly be encouraging players to play the game and spend money on in-app purchases to give the player more abilities and power, giving them an advantage. I may just be paranoid, but I mean I try to be thorough, goes with the line of work I think Thanks ahead of time for any and all input on the subject.
9th March 2014, 07:15 AM   |  #2  
Junior Member
Thanks Meter: 2
 
13 posts
Join Date:Joined: Feb 2013
I could think of security at two levels:

Hacking the app code, to generate high scores which are then sent to the server.
Hacking the server protocol to just send the highscores without using the app at all.

If a person can hack the app code to generate high scores, he can as well hack the protocol and send random scores without using the app.


One option could be to send the app signature (http://stackoverflow.com/questions/8...me-for-android),
the users score and some other obfuscated data to the server, so that it makes it really hard for someone to crack the server-client protocol.

Then on the server, verify that the signature is correct.
This way, even if someone modifies the apk to generate random scores, they will have to repackage the app, and will end up having a different signature.


Note that you are not storing the signature file in the app and the signature verification happens on the server (which essentially "cannot" be hacked)
The Following User Says Thank You to painlessDeath For This Useful Post: [ View ]
9th March 2014, 09:01 AM   |  #3  
OP Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Feb 2014
Thanks for the reply! It was helpful and informative, much appreciated
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Java for Android App Development by ThreadRank