Sign in to follow this  

[c++/php] Safe App -> Website communication (encryption?)

This topic is 1603 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi, I'm trying to send some data from my game to a website via a simple POST call but want to prevent it from being easily spoofed - what's a good way to protect against that?

My first thought was to simply encrypt the data in my app using some shared key and then decrypt it in on the webserver. If someone tried to "spoof" they would need the shared key first.

Are there good examples of doing that with C++ and PHP? PHP already has bunch of encrypt/decrypt functions, but what about C++? I checked boost but it doesn't seem to have any support for that.

Or is there a simpler way to do so (I dont care about protecting the data, it's not anything vital, just ensuring it doesn't get spoofed).

Share this post


Link to post
Share on other sites
As with any security related problem, don't roll your own.

The hardcore blunt-force solution is to connect from app to server using something like TLS.

Another option would be public-key cryptography, where the app contains the public key but only your server contains the private key.


Even still, neither option really buys you much, because someone can trivially hack your app to send forged data with all the right signatures and validation information.


So the real question becomes: how much work is it worth to "protect" against spoofing? How bad would it be when someone inevitably busts it wide open?

Share this post


Link to post
Share on other sites
Define your threats.

What are you trying to protect? Usernames and accounts? In-game sessions? Credit card information?

Who are you trying to protect against? Script kiddies looking to say "I haxxored it"? Credit card hunters? Governments?

What are you trying to protect against? Minor issues like replay attacks? Session hijacking? MITM attacks? Compromised machines?


Once you define those types of issues, it will be come more clear what steps you need to take. Some issues like page refresh and double-submit are must-implement concepts. Others are a waste of time in hobby games.

Share this post


Link to post
Share on other sites

Hi, I'm trying to send some data from my game to a website via a simple POST call but want to prevent it from being easily spoofed - what's a good way to protect against that?

My first thought was to simply encrypt the data in my app using some shared key and then decrypt it in on the webserver. If someone tried to "spoof" they would need the shared key first.

Are there good examples of doing that with C++ and PHP? PHP already has bunch of encrypt/decrypt functions, but what about C++? I checked boost but it doesn't seem to have any support for that.

Or is there a simpler way to do so (I dont care about protecting the data, it's not anything vital, just ensuring it doesn't get spoofed).

 

If you run the client on a machine you don't control (such as a machine owned by one of your users) they will always be able to spoof its output, any key used by the client application can be extracted and used by the user to directly spoof the output.

 

The only way around this is to run the client application on a machine you control. (You can make it harder to extract the key or to modify the behaviour of the application by obfuscating the way it works but its impossible to make it bulletproof unless you control the hardware)

 

If all you need is to protect against third parties you can just use TLS, there are plenty of libraries capable of this. (openssl for example).

If you want to protect yourself against misbehaving users you're better off ensuring tracability, users are far less likely to misbehave if you have the ability to detect their misbehaviour and permanetly remove their access to the service.

Share this post


Link to post
Share on other sites

Define your threats.
What are you trying to protect? Usernames and accounts? In-game sessions? Credit card information?
Who are you trying to protect against? Script kiddies looking to say "I haxxored it"? Credit card hunters? Governments?
What are you trying to protect against? Minor issues like replay attacks? Session hijacking? MITM attacks? Compromised machines?
Once you define those types of issues, it will be come more clear what steps you need to take. Some issues like page refresh and double-submit are must-implement concepts. Others are a waste of time in hobby games.


Neither, as I mentioned, I don't have any sensitive data at all. It's just some basic stats about the playthrough like length, number of items found, plot points etc. so I don't care about protecting it, I just want to prevent spoofing so I don't have trolls sending fake requests to skew the data. I thought public / private key would be the best (most cost efficient) solution to verify the request is indeed coming from the game and not a 3rd party.

Sure it's still hack able but any solution will be really so I'm just looking for something cost/time efficient. Figure it's better than nothing where anyone could just fake a request by effectively typing the URL in their browser and some post variables.

Share this post


Link to post
Share on other sites

 

Define your threats.
What are you trying to protect? Usernames and accounts? In-game sessions? Credit card information?
Who are you trying to protect against? Script kiddies looking to say "I haxxored it"? Credit card hunters? Governments?
What are you trying to protect against? Minor issues like replay attacks? Session hijacking? MITM attacks? Compromised machines?
Once you define those types of issues, it will be come more clear what steps you need to take. Some issues like page refresh and double-submit are must-implement concepts. Others are a waste of time in hobby games.


Neither, as I mentioned, I don't have any sensitive data at all. It's just some basic stats about the playthrough like length, number of items found, plot points etc. so I don't care about protecting it, I just want to prevent spoofing so I don't have trolls sending fake requests to skew the data. I thought public / private key would be the best (most cost efficient) solution to verify the request is indeed coming from the game and not a 3rd party.

Sure it's still hack able but any solution will be really so I'm just looking for something cost/time efficient. Figure it's better than nothing where anyone could just fake a request by effectively typing the URL in their browser and some post variables.

 

 

public/private key won't make it that much harder to spoof, the user can just modify the data before its encrypted using for example cheatengine, (Allthough if you don't make the collected data public anywhere it will be difficult for a user to figure out which data he has to change in order to spoof the request).

 

The best way to prevent spoofing of such statistics is to do a sanity check on the server after recieving the request (This also lets you filter out data sent by players who are obviously cheating as well)

Share this post


Link to post
Share on other sites

This topic is 1603 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this