1

I would like to save a score from an Android game to te parse.com backend. So i will create a ParseObject and save it in background:

ParseObject gameScore = new ParseObject("GameScore");
gameScore.put("score", 1337);
gameScore.put("playerName", "Sean Plott");
gameScore.saveInBackground();

Now someone can reverse engeener my Android App, get the parse client key and application id and write any highscore he wants to, for his user, the parse.com backend? Or does Parse prevents this case already somehow?

Thx

user630447
  • 71
  • 1
  • 1
  • 9
  • how about add a obfuscator? – Jiang YD Sep 09 '15 at 07:53
  • yes this would be a possibility, but also not 100% save. My question is if i need some extra security to write the score into parse, or does the koncept of parse (api_key, client_key) is "save enough" ?? – user630447 Sep 09 '15 at 11:11

1 Answers1

2

Yes you need extra security, those API key's can be stolen.

Obfuscation is first step to prevent someone from reverse engineering your code. However things like API key's are usually stored as String, thus they won't be obfuscated. There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it. However there are some methods that can make this process more difficult

Some examples:

  • use NDK
  • use encryption
  • hide data in png file
  • set up your application to send your requests without the API Key to a proxy server to receive the request, append the API Key to the end of the request, send the request, and then receive and return the response from the request to your application

  • To keep your public key safe from malicious users and hackers, do not embed it in any code as a literal string. Instead, construct the string at runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want to make it easy for a hacker or malicious user to replace the public key with another key. http://developer.android.com/google/play/billing/billing_best_practices.html

More informations about that topic:

http://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/ http://www.informit.com/articles/article.aspx?p=2268753&seqNum=4

Related SO question:

Best Practice for storing private API keys in Android

How to store a secret API key in an application's binary?

Community
  • 1
  • 1
Than
  • 2,759
  • 1
  • 20
  • 41
  • Thx, you mentioned the proxy server solution. But everyone can send the request to the proxy and make a request? WIth this solution there is not more security than storing the key direct in the app? – user630447 Sep 13 '15 at 22:46