6

I have an iPhone game that dispenses in-game currency over time, and someone discovered that you can change the date on your device to get rewards early.

I found out there was a similar issue in Smurf Village, and they detect the tampering somehow. Does anyone know how they do it? The only thing I can think of is getting the time from an outside server, which would require devices to be online, but it's better than nothing I guess... does anyone know where I can find a server that just tells you the time?

Adam
  • 1,486
  • 3
  • 20
  • 35

7 Answers7

4

You can use an NTP server that tells you the time.

Right until someone uses a proxy server to figure out what NTP server you are trying to connect to, and then spoofs the NTP response... as others have mentioned, the response is easy to parse, and thus easy to forge.

A better solution would be to use something like Google App Engine (free), to send your app some kind of encrypted response that would boil down to the server time. If the client time deviated from that by too much, the app would simply use the server time for calculations. Then even if they intercept the request they will not easily be able to send back the correct response.

But basically in any networked game, you must always assume the client is lying. The only real way to prevent issues is to have everything go through a server, so a client cannot decide it's suddenly rich and have any other client agree it is so...

Kendall Helmstetter Gelner
  • 74,769
  • 26
  • 128
  • 150
  • what is the type of this vulnerability, don't you know? I'm thinking of this https://cwe.mitre.org/data/definitions/610.html – Ender Apr 11 '19 at 05:01
1

You can simply use one of the time servers, available over internet. That's quite simple protocol, you will parse replies without any problem.

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48
1

You could use any NTP server (see http://www.ntp.org/).

Also, you could implement some simple validation by storing the latest date the app has run, and check that the date never goes back.

pgb
  • 24,813
  • 12
  • 83
  • 113
  • "and check that the date never goes back." Isn't that going to be closing the barn door after the horse gets out? – KevinDTimm Jan 11 '11 at 20:15
  • how so? date goes back => no new currency *and* don't cache back-date. replying on servers, though, seems to be somewhat brittle if cheater can simply turn off WiFi, etc. – westsider Jan 11 '11 at 20:21
  • And what if they change timezones? I guess you could use GMT, and watch for major shifts in time – PostMan Jan 11 '11 at 20:21
  • @westsider - the money has already gone out when the date goes back (I assume that the date has to move ahead to get money 'early') – KevinDTimm Jan 11 '11 at 20:33
  • @KevinDTimm - ah... so time is set back *before* initial run? makes sense. thanks for explanation. – westsider Jan 11 '11 at 20:51
  • This is probably not the best solution for everyone, but I'm going to do part of what you suggested; check that the time never goes backwards. If the time goes back more than say 10 hours, I'll assume they cheated and give them a popup that says something like 'you've been doing a lot of travelling! Unfortunately, all your luggage was lost in transit', and just remove all the items they purchased. That way I can reward people who were smart enough to figure out the hole, but punish people who got greedy. – Adam Jan 11 '11 at 21:34
  • I agree it's not the best solution at all, but it's certainly a start. It would be great if you can track more information on the server, everytime the currency is used, so you can create a better logic in the future. – pgb Jan 11 '11 at 21:44
0

iPhone: Open your game let it load use all energy then go to: *Settings *General *Date & time Turn off auto Set 1 hr forward (or more depending on wait time I.E. Energy full in 3 hours set forward 3 hours) Reopen game, does not work for every game

Stacie
  • 1
0

One way that will provide at least a layer of protection if you absolutely cannot check a remote ntp server

Check times and time zone if you ever notice a change in time thats not attributed to a time zone change thats greater than DST changes, pause your dispensing of money

kgutteridge
  • 8,727
  • 1
  • 18
  • 23
0

If online, you should check an NTP server, or preferably your own time stamp server using an encrypted protocol.

When offline, you can either not add currency, or time-stamp the currency addition and check for cheating (the time stamps vary non-monotonically by too much to allow for travel and clock drift) every time the app is made active. Then you could de-value any ill-gotten gains somehow: virtual barn catches fire, everything in the game suddenly costs more, bank transfer fees become larger than the amount transferred, etc.

hotpaw2
  • 70,107
  • 14
  • 90
  • 153
0

If you look closely in the headers of your HTTP requests and responses you'll find that the time information you need to determine the clock offset from the Server to the Client is almost always already available.

For tracking absolute time in disconnected operation, you can use the systems MONOTONIC clock, on iOS it's part of the kernel interface. You'll also need to save the boot UUID and boot time from sysctl so you can catch system reboots.

alfwatt
  • 2,010
  • 2
  • 18
  • 29