Geek Answers Handbook

How should an application authenticate with a data store?

I am writing an iPad game that sends hi-score type data (i.e. data outside of what Game Center supports) to the Google appengine data store. It sends these updates via http GET or POST requests, such as http://myapp.appspot.com/game/hiscore/925818

This is how I thought the appengine datastore was not flagged with false data.

zip / encrypt payload data using hardcoded p@ssw0rd stored in the iOS binary. Encode this binary data as base64. Pass the base64 payload in the url query string or in the POST data. In the unbase64 handler, then unzip the data using p@ssw0rd . Follow the instructions in the payload to update data like highscore.

CON: If p@ssw0rd somehow derived from the iOS binary, this scheme can be defeated.

Is this sufficient / sufficient? Is there any other way to do this?

+4
source share
2 answers

Well, there are 2 ways to do this.

1) Get an SSL certificate for $ FREE.99 and open HTTPS connections only to your server to send data like hiscore. The connection speed should be around 500 ms due to the time it takes to shake hands.

2) Embed the RSA public key certificate in the iOS application and have the RSA private key on your server .

Then you can do one of two things with this second scheme:

  • If your data messages are really small (≀256 B), you can simply encrypt and send 256B packets (RSA payload is limited by the number of bits in the key)

  • ELSE If the data is too large (> 256B), generate a random symmetric key (AES) and a packet:

    • SYMMETRIC AES KEY ENCRYPTED with RSA PUBLIC KEY
    • DUAL DATA CONNECTED WITH SYMMETRIC AES KEY

The server then takes the first 256 bytes and decodes it, then the server uses this AES key to decrypt the rest of the message.

The above 2 only prevents eavesdropping, but means that the data format of your messages is hidden. At some level, it is still a type of security by suspense, because if a hacker has your public key and the format of your message, they can create messages.

0
source

There is absolutely no way to make sure your client is sending data. All you can try is to confuse some things to make it difficult for spammers to send data.

However, I think you can do two things:

  • Is there some secret key stored in binary
  • The user algorithm calculates some checksum

Maybe you can go with such a combination. Let me give you an example:

Create your own (complicated!) Alorithm (simple):

 var result = ((score XOR score / 5) XOR score * 8) BITSHIFT_BY 3

Then use your static key with this result and a well-known hash function, for example:

 var hash = SHA256(StaticKey + result)

Then send this hash with the score to the server. The server should β€œverify” the hash by following the same steps (evaluate the algorithm + doing SHA256 things) and compare the hashes. If they coincide with the rating, we hope that this is your application, otherwise throw it out of the spammer.

However, this is only one thing you can do. Check out the link with mfanto , there are many other ideas you can look at. Do not forget to tell anyone about how you do it, because it is security through the unknown .

+3
source

More articles:


All Articles