Server needs to ensure an iPhone is connected

Discussion in 'Public Game Developers Forum' started by insanelyThankful, Mar 19, 2010.

  1. insanelyThankful

    insanelyThankful New Member

    Mar 19, 2010
    3
    0
    0
    Security software
    Sunnyvale, CA
    Hi,
    I have a game (can be any application) with versions that run on the iPhone and other platforms which connect back to a central server. The central server puts iPhone gamers in a separate pool from the other pools.

    The central server needs to be able to distinguish between the iPhone clients and the other clients. How does one do that? Simple user name, password, or configuration information does not cut it. A secret buried in the application during download will get reversed and can be easily used on non-iphone emulators. Server certificate SSL will prove to the iPhone what the server is, not the other way around. Client side SSL is still not available and even then, it is not possible to ensure any thing unless we rely on a public/private keypair intimately tied to the hardware and the private key is not readable. Is there something like that available with the iPhone?

    Just a bunch of questions ...
     
  2. Kyle Poole

    Kyle Poole Well-Known Member

    Apr 28, 2009
    808
    0
    0
    The short answer is that there is no way to be sure. The iPhone is just like any other computer, and even SSL encrypted packets can be sniffed, deconstructed, and resent from another computer. You can use SSL as well as another layer of encryption to make it harder for hackers to understand your protocol format, but if someone really wants to communicate with your server with a custom built client, there is no way to detect that.

    The first rule in network server design is: never trust the client.
     
  3. insanelyThankful

    insanelyThankful New Member

    Mar 19, 2010
    3
    0
    0
    Security software
    Sunnyvale, CA
    How does Apple trust the iPhone then?

    Sigh; I was hoping for a better answer. Dang! How does Apple trust that it is an iPhone talking to its servers? Or does it never has to trust the client? I would have thought that Apple would have buried some secret keys in the CPU that can not be accessed directly, only for signing/encryption with the corresponding public key available for the reverse operation.
     
  4. Flickitty

    Flickitty Well-Known Member

    Oct 14, 2009
    761
    1
    0
    iPhone Dev
    What is the purpose of this connection? I really hope it isn't for DRM or any other protection scheme. You can't count on a device always having access to the internet, even on an iPhone (I've been in buildings where the signal is dropped, and no wifi). iPods aren't always connected, especially in foreign markets.

    Other than that, your dilemma should be easily resolved. You need to create specific builds for each device and platform anyway...
     
  5. insanelyThankful

    insanelyThankful New Member

    Mar 19, 2010
    3
    0
    0
    Security software
    Sunnyvale, CA
    Need it to deliver scores to the server

    The communication is very short. Just a back and forth to deliver scores. It is possible for me fake the server into believing the client and I can send fraudulent scores.
     
  6. Flickitty

    Flickitty Well-Known Member

    Oct 14, 2009
    761
    1
    0
    iPhone Dev
    well then I am not sure why you aren't using a standard system, like OpenFeint. Regardless of the system that is used, fraudulent scores will always be a possibility, which it why you shouldn't rely on them to produce anything meaningful, ie. as a competitive contest.
     
  7. mobile1up

    mobile1up Well-Known Member

    Nov 6, 2008
    754
    0
    16
    Technical Director
    Munich, Germany
    you using php?

    $source = $_SERVER['HTTP_USER_AGENT'];

    you can check that; from a mac osx based machine (iphone et al) - its value is typically "CFNetwork" - it is one level of checking at least.
     
  8. Kyle Poole

    Kyle Poole Well-Known Member

    Apr 28, 2009
    808
    0
    0
    If someone is using php to hack it,

    curl_setopt($curl_handle, CURLOPT_USERAGENT, "CFNetwork");

    will work to spoof the user agent... This is how sites like AppShopper scrape data from the iTunes store, by tricking it to think that it is the iTunes app requesting the info.

    There are better ways to secure high score postings, including custom encryption, token passing, and server-side data validation. I'm sure you can google it yourself...
     
  9. xother

    xother Active Member

    Aug 18, 2009
    26
    0
    0
  10. mobile1up

    mobile1up Well-Known Member

    Nov 6, 2008
    754
    0
    16
    Technical Director
    Munich, Germany
    you can spoof anything. :)

    point is; if you are going to have highscores - just don't run a competition through them. if you make it a value piece for someone to hack, then they will. we have rolling high scores; so, it gives people a reason post them.. it is just for boasting rights really - people like it.
     
  11. mobileben

    mobileben Well-Known Member

    Jul 17, 2009
    595
    0
    0
    Lumpy's Handler
    Zgrunturos and San Francisco
    +1 on that.

    I'd concur that it really isn't worth the time and effort to try and build a "full proof method" to prevent spoofing. It will happen. It even happens some times on OF.

    Just come up with something that takes reasonable precautions and you should be fine.

    If you do get someone hacking your boards ... you can take it as an abstract form of a compliment. It's a good sign then that people feel it's worth exerting some of that effort to hack it :D!
     

Share This Page