0

I have developed a game which when gets a highscore connects to the server to update the score in the leaderboard.What i want is to prevent somebody or even the user from sending fake highscores without playing.The method i tried was to send all data from my app encrypted using a hardcoded key in the app and using the same key to decrypt the data at server side.But since the android app can be easily decompiled even after using proguard,the method fails.Any help would be great

Marcus Adams
  • 53,009
  • 9
  • 91
  • 143
joseph
  • 940
  • 10
  • 19
  • Have you tried sending a random token from the server to the app, and then having the app send that token back to the server with the request to update the high score? The server would check to ensure the token was valid before doing the update. That's basically what Rails does to ensure that form posts are valid. – J Plato Mar 01 '15 at 18:15
  • @JPlato That wont solve the issue i think.Anybody can make a random request get the reply token and send it back again with the score no?pls correct me if i got it wrong. – joseph Mar 02 '15 at 18:51
  • Unless the user has to log in to play the game, I think it's going to be difficult to prevent someone from spoofing your high score system, if they are very determined. You could consider having the game provide information to the server during gameplay, so you could ensure the score came from legitimate gameplay. That would make it more difficult to spoof the scoring system, but not impossible. – J Plato Mar 02 '15 at 20:10

1 Answers1

0

Yes, as J Plato suggested consider generating a nonse (request scope token) before the app submits the score. App should submit the score along with this nonse which will be validated at the server-side before updating the score.

user1493834
  • 756
  • 4
  • 11
  • 25