★ TouchArcade needs your help. Click here to support us on Patreon.

Server needs to ensure an iPhone is connected

03-19-2010, 05:23 PM
#1
Joined: Mar 2010
Location: Sunnyvale, CA
Posts: 3
Server needs to ensure an iPhone is connected

Hi,
I have a game (can be any application) with versions that run on the iPhone and other platforms which connect back to a central server. The central server puts iPhone gamers in a separate pool from the other pools.

The central server needs to be able to distinguish between the iPhone clients and the other clients. How does one do that? Simple user name, password, or configuration information does not cut it. A secret buried in the application during download will get reversed and can be easily used on non-iphone emulators. Server certificate SSL will prove to the iPhone what the server is, not the other way around. Client side SSL is still not available and even then, it is not possible to ensure any thing unless we rely on a public/private keypair intimately tied to the hardware and the private key is not readable. Is there something like that available with the iPhone?

Just a bunch of questions ...
03-20-2010, 01:01 AM
#2
The short answer is that there is no way to be sure. The iPhone is just like any other computer, and even SSL encrypted packets can be sniffed, deconstructed, and resent from another computer. You can use SSL as well as another layer of encryption to make it harder for hackers to understand your protocol format, but if someone really wants to communicate with your server with a custom built client, there is no way to detect that.

The first rule in network server design is: never trust the client.

Be sure to check out Shadow Era, a trading card game now with almost 3 million players, cross-platform multiplayer for iPhone, Android, web, PC and Mac for FREE!

03-20-2010, 01:28 AM
#3
Joined: Mar 2010
Location: Sunnyvale, CA
Posts: 3
How does Apple trust the iPhone then?

Sigh; I was hoping for a better answer. Dang! How does Apple trust that it is an iPhone talking to its servers? Or does it never has to trust the client? I would have thought that Apple would have buried some secret keys in the CPU that can not be accessed directly, only for signing/encryption with the corresponding public key available for the reverse operation.
03-20-2010, 01:45 AM
#4
Quote:
Originally Posted by insanelyThankful View Post
Sigh; I was hoping for a better answer. Dang! How does Apple trust that it is an iPhone talking to its servers? Or does it never has to trust the client? I would have thought that Apple would have buried some secret keys in the CPU that can not be accessed directly, only for signing/encryption with the corresponding public key available for the reverse operation.
What is the purpose of this connection? I really hope it isn't for DRM or any other protection scheme. You can't count on a device always having access to the internet, even on an iPhone (I've been in buildings where the signal is dropped, and no wifi). iPods aren't always connected, especially in foreign markets.

Other than that, your dilemma should be easily resolved. You need to create specific builds for each device and platform anyway...

A ragdoll physics platformer:Flickitty
The artist: randall schleufer
Twitter: @FlickittyiPhone
03-20-2010, 03:00 AM
#5
Joined: Mar 2010
Location: Sunnyvale, CA
Posts: 3
Need it to deliver scores to the server

The communication is very short. Just a back and forth to deliver scores. It is possible for me fake the server into believing the client and I can send fraudulent scores.
03-20-2010, 03:15 AM
#6
Quote:
Originally Posted by insanelyThankful View Post
The communication is very short. Just a back and forth to deliver scores. It is possible for me fake the server into believing the client and I can send fraudulent scores.
well then I am not sure why you aren't using a standard system, like OpenFeint. Regardless of the system that is used, fraudulent scores will always be a possibility, which it why you shouldn't rely on them to produce anything meaningful, ie. as a competitive contest.

A ragdoll physics platformer:Flickitty
The artist: randall schleufer
Twitter: @FlickittyiPhone
03-20-2010, 06:28 AM
#7
Joined: Nov 2008
Location: Munich, Germany
Posts: 754
Send a message via Skype™ to mobile1up
Quote:
Originally Posted by insanelyThankful View Post
The communication is very short. Just a back and forth to deliver scores. It is possible for me fake the server into believing the client and I can send fraudulent scores.
you using php?

$source = $_SERVER['HTTP_USER_AGENT'];

you can check that; from a mac osx based machine (iphone et al) - its value is typically "CFNetwork" - it is one level of checking at least.

// Aaron Ardiri
Mobile 1UP is a proud indie developer - support us!
developer of Caveman / Caveman HD and GW Series
03-20-2010, 03:05 PM
#8
If someone is using php to hack it,

curl_setopt($curl_handle, CURLOPT_USERAGENT, "CFNetwork");

will work to spoof the user agent... This is how sites like AppShopper scrape data from the iTunes store, by tricking it to think that it is the iTunes app requesting the info.

There are better ways to secure high score postings, including custom encryption, token passing, and server-side data validation. I'm sure you can google it yourself...

Be sure to check out Shadow Era, a trading card game now with almost 3 million players, cross-platform multiplayer for iPhone, Android, web, PC and Mac for FREE!
03-21-2010, 07:43 PM
#9
Joined: Aug 2009
Posts: 26
There was a thread related to this a while ago..

http://forums.toucharcade.com/showthread.php?t=24670

Lunarcy a really challenging retro looking arcade game.
03-22-2010, 01:40 AM
#10
Joined: Nov 2008
Location: Munich, Germany
Posts: 754
Send a message via Skype™ to mobile1up
Quote:
Originally Posted by Kyle Poole View Post
If someone is using php to hack it,

curl_setopt($curl_handle, CURLOPT_USERAGENT, "CFNetwork");

will work to spoof the user agent... This is how sites like AppShopper scrape data from the iTunes store, by tricking it to think that it is the iTunes app requesting the info.

There are better ways to secure high score postings, including custom encryption, token passing, and server-side data validation. I'm sure you can google it yourself...
you can spoof anything.

point is; if you are going to have highscores - just don't run a competition through them. if you make it a value piece for someone to hack, then they will. we have rolling high scores; so, it gives people a reason post them.. it is just for boasting rights really - people like it.

// Aaron Ardiri
Mobile 1UP is a proud indie developer - support us!
developer of Caveman / Caveman HD and GW Series