Hide POST/GET requests - Flash & PHP

Question

I'm currently working with a friend on a flash game. He want's to insert the scores inside a database when the player finishes the game. He's using this tutorial for the flash - http://www.tizag.com/flashTutorial/flashforms.php . The swf he made works great - it posts the data. The problem is I can see the request from firebug. This opens up another problem - any more advanced user may insert a score of his own without playing the game...

So is there a way to hide the requests made from the flash game? What would be the right approach to this problem?

Answer 1

No, there is no way to actually hide the requests made. That is impossible, not only can firebug or Live HTTP Headers intercept it if it is run in a web browser, I can load up Wireshark and find all incoming and outgoing traffic and analyse it. What you need is a method of encryption or offuscation. For example, take their score, base64_encode() it, then take the current time, reverse it (and maybe add a key to the end of it), and then take the MD5 of that. Submit all three pieces of info to the server, if the time is more than 5 seconds old, they could have edited the request and sent a false one. Check the validity of the time by reversing it (and then adding the key to it if you used one) and taking the MD5 and make sure they match. Of course, you can run some complex encryption algorithm, but that is pointless in the end:

There IS no foolproof way to combat this. I used to work in the reverse engineering field. I can tell you that I can edit any value in any flash game. Therefore, while the submission of the score may be somewhat secure, I can decompile your game and look at the code, and see what you did to offuscate the score submission. Or, even easier, I can just edit the value that holds the score in probably under 60 seconds. Adobe Flash Player stores variables in memory, and that is where the weakness is, I can edit those variables and values in memory easily.

And if you are trying to take on the challenge of preventing reverse engineering, I say you just stop at the offuscation and hope no one like me is playing your game. Many many attempts have been done to prevent reverse engineering, and let me just say this: offuscation and "security" only keeps the honest guys out. This is true for both the real world as well as programming. Someone that truely wants to exploit a system and has the skills to do so, it is easy. It only keeps casual hackers and cheaters from cheating. The balance between security and methods to circumvent it is ever close to equilibrium.