Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing a client-side API

I'm building a server-side API and client-side library for a JavaScript-based game where two very important features must be secured.

  1. A user must be debited for each play
  2. We must ensure that the score that gets submitted is the actual earned score by the player.

Solving the first problem seems simple; at the beginning of each play we hit the API, debit the user's account and return a unique Play ID. When we submit the user's score for that play, we pass the ID issued at the beginning.

The second one has me a little stumped. Initially I considered a client-side hashing algorithm based on the ID and the score, but quickly realized that the Javascript that produces the hash could easily be reverse-engineered, even if it was obfuscated. At this point I considered a small flash component that generates the hash, but I've heard that even compiled flash can be decompiled.

For added context, I plan to build the server side API in Ruby.

I'd love to hear any suggestions the clever programmers of Stack Overflow have to offer. Thanks for your time!

Edit: The answer by Homer6 below is a very good solution for more sophisticated games, but unfortunately the simplicity of this game doesn't merit a method like that. It's a very short-play time based game, so the score is just the time it takes you to complete a level.

like image 638
bloudermilk Avatar asked Dec 12 '22 13:12

bloudermilk


2 Answers

Make the server-side part of the game.

You could make the API only receive actions in the game. So the scoring is done server-side. While this will be more intensive, it's harder to fake.

Of course, people could still write bots for it if they're clever. This also adds the latency of server interactions to the gameplay. If there's a way to make the requests non-blocking, it may work.

HTH

like image 135
Homer6 Avatar answered Dec 15 '22 04:12

Homer6


As a rule of thumb just assume that anything in the client side can be faked.

like image 23
thekindofme Avatar answered Dec 15 '22 04:12

thekindofme