We are creating a turn based multiplayer game in Unity where client data is sent to the server (SSL encrypted) using JSON to update player currency, gear, etc. We have hit a road block with client verification. We need to be able to verify the Client application is indeed the Client.
For example - to update player gold to 100, the client would send the following URL Request:
What is to keep someone from calling that exact same address in a browser and changing 100 gold to 10000000?
Create session_id based on algorythm stored in client code to verify?
When creating a mobile game in Unity for Android, users can easily download the APK and view the source and see the algorythm.
Create session_id on server and send to client for later use?
A network packet sniffer can intercept session_id being sent back down to the client.
In both cases, the above URL can be modified with a spoofed session_id and player gold set to 10000000 instead of 100.
Are we stuck with TCP ports for all client / server communication or can we still use JSON? If so, how can we use it securely?