0

My target is to read and securely post high scores by REST from an Android game. I found a question and a good proposal as answer.

I have a question to the accepted answer. I would hard code the secret key into the app and use it to md5 encrypt the url. The result is appended to the url itself as parameter (see answer of linked posting). When I additionally use SSL, I think it would have no benefit for my case. I would need to use a private key too and when someone cracks and reverse engineers my app, he would get the private SSL key and the secret key. I don't send passwords or some critical data, just a name a user typed in or a nickname with a score and maybe a country. People with a rooted phone could see the URL, but the can't fake the high scored on the server with this approach, don't they? So if I omit SSL and just use HTTP instead of HTTPS, it wouldn't have any disadvantage to me, right? Or is there any problem with this approach I didn't think about? (I would like to omit SSL if possible, because it's easier to implement and this issue with the US export regulations when using encrypted apps in Google Play is too cumbersome to me for just sending high scores to a server).

Community
  • 1
  • 1
Bevor
  • 8,396
  • 15
  • 77
  • 141

3 Answers3

4

When I additionally use SSL, I think it would have no benefit for my case

It would make it more difficult for somebody to sniff on the traffic and see your secret key.

People with a rooted phone could see the URL, but the can't fake the high scored on the server with this approach, don't they?

They can certainly execute an HTTP request using your secret key. They do not need to root their phone to see the secret key. Whether they need to root their phone to use the results of the HTTP request, I cannot say.

So if I omit SSL and just use HTTP instead of HTTPS, it wouldn't have any disadvantage to me, right?

Skipping SSL will make it easier for somebody to use a proxy server or other form of traffic sniffer to see your secret key.

this issue with the US government allowance when using encrypted apps

I have no idea what you are talking about.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • If some1 sees the hash value of the encryption in the url, he can't use it with other data as long as he doesn't know the secret key (answer of linked posting). And he only gets the key when he cracks my app. So I still don't know what the benefit to use ssl in that case, although it's more secure. When you publish on Google Play and use encryption, you have to fulfill export regulations. (Sorry, the question was not clear. I don't append the secret key but I use it to md5 encrypt the url. See updated question) – Bevor Nov 03 '13 at 18:57
0

SSL will only prevent sniffing between client and server. There's no point in using SSL if you are not going to send anything secret between the client and the server. Sending a "secret" key that's hardcoded in your app is a bad idea: decompiling the app will mean that the key is no longer secret.

People with a rooted phone could see the URL, but the can't fake the high scored on the server with this approach, don't they?

Anybody with the "secret key" can make an HTTP(s) request and set any hiscore they want. Never trust your clients! You should calculate the hiscore on the server itself, then return it back to the clients. Preferably not the other way around.

ln e
  • 1,095
  • 1
  • 7
  • 16
0

You are hashing part of the URL, like this:

http://yourserver/?key=hashed_value&score=100

But that doesn't put security at all, the client can still see that URL and make his own POST, like this:

http://yourserver/?key=hashed_value&score=300

The hashed value used by the hacker is the same that your app is using.

You have to use HTTPS for the desired purpose.

Notice that I used a "GET" in my example, but a POST is the same, you can see the entire HTTP request if its not HTTPS

sports
  • 7,851
  • 14
  • 72
  • 129