Because I’m developing a server game, data has to flow in both directions. That means it might be read (by ‘tapping’ e.g. using utilities like WireShark) or maybe even spoofed. Obviously this would be a bad thing.
Now I’m obviously not going to say how exactly I plan to protect it. Here are a few ideas.
- Encrypt all data. I already do this with an SSL certificate. Apple for example block network connections that aren’t secured.
- Include checksums and other ways of checking that the data originated from where it purported to. A poor way of doing this would be to always include a constant value and check for its presence. The idea is good but if someone managed to disassemble an app, they might spot it and it would be game over. The principle is sound but not a constant value.
- I like the idea of a time based constant but it needs careful implementation. The idea is that every hour say a new constant is calculated. Now there are several issues with this: how do you derive the constant so that the server and mobile apps know what constants should be? One way would be a pseudo random number generator and there are many algorithms. So long as both client and server (which are programmed in different languages) can manage this then that’ is not bad. Another issue is “time dislocation”. My mobile and server may not be exactly in sync. It might only be a fraction of a second or maybe longer if they are on different time zones. One way round this is to keep the last say two or three values and check not jut the current one but the one before that as well. We’re not bothered about the time so much as when the hour changes.
- Or a simpler method, just have a list of constant values. And an index which is incremented every hour. It wraps round at the end. This is virtually the same as 3. but without the pseudo random number generator.
- Include a secure hash of the main data. This is like a digital certificate created from a document. It guarantees that the document hasn’t been tampered with because the certificate is created from the contents of the document. The only thing here is, the data must include a value from 3 or 4 to verify the document so a spoofer doesn’t just send their own data and a secure hash of that!