5

Over the years I've become an uber-nerd when it comes to flash game development. Now I'm thinking about looking into using my skills for helping other game-developers out there.

I want to develop an API in AS3 which will allow the developer to do (as a start) the following:

  1. Display a dialogue which lets the user log into their "account" (hosted on my site).
  2. Send a score/value to the website and attribute it to the logged in user.
  3. Unlock an achievement (achievements will be set up by the developer in the web interface - which is where they will also get a key of some type to use with their API.
  4. Display high scores, other players profiles in-game, etc (show basically any stats in-game).

All easy enough to develop straight off the bat. However; where it becomes frustrating is security. I'm not expecting an indestructible solution that I'm fully aware isn't possible, but what would be the most defensive way to approach this?

Here are the issues that I can think up on the spot:

  1. The big one - people stealing the API key via man-in-the-middle attack.
  2. Highscore injection, false achievement unlocks.
  3. Decompiling the SWF and stealing the API key.
  4. Using the API key to create a dummy flash application and send random data like highscores.
  5. Altering the API itself so you don't need to be logged in, etc.

One thought I've had was converting my API to a component so there's no access to the code (unless you decompile). The problem here is it's just not friendly to the developers, though it would allow me to create my own graphics for the UI (rather than coding many, many sprites).

Private/public keys won't work unless there is very good protection against decompiling.

I'm beginning to wonder if this idea is a dead end.

Any advice on securing this (or parts of it) would be great.

Sam
  • 7,252
  • 16
  • 46
  • 65
Marty
  • 39,033
  • 19
  • 93
  • 162

3 Answers3

1

Look at this thread first if you haven't done so already: What is the best way to stop people hacking the PHP-based highscore table of a Flash game

Community
  • 1
  • 1
frankhermes
  • 4,720
  • 1
  • 22
  • 39
  • Similar - though my question presents a huge amount of additional security issues. This thread is solely for a highscore submission system. – Marty Apr 29 '11 at 07:18
  • True, but I still recommend you to read all the top answers, since it will help you a lot ;) – Cay Apr 29 '11 at 08:01
0

client side is never secure enough, so i'd suggest to take all the logic to the server, reducing client to just UI.
If it's impossible due to network timeouts - send scores/achievements only with the log of pairs "user_action - game_state" and verify it on the server.

www0z0k
  • 4,444
  • 3
  • 27
  • 32
  • This is indeed the approach I had in mind. The API itself displays what the server returns and sends extremely basic info as well as an API key or something similar. PHP/MySQL can handle the rest. – Marty Apr 29 '11 at 07:21
  • @Marty Wallace - also if you aren't afraid to lose faking users you may ban (for 24 hours or ever) any account sending fake data to prevent consecutive hacking algorithm testing – www0z0k Apr 29 '11 at 08:16
  • I agreed, webservices + AS3 wrapper/lib, and webservices can also access through other wrapper like JS – Imran Apr 29 '11 at 10:14
0
  1. Against man-in-the-middle HTTPS seems the only option. It may have its vulnerabilities, but it's way better than any home-made solution. The problem that you'll need actual certificate from authorized center, because ActiveX-based Flash plugin will not trust self-signed certificate.
  2. Should not be possible without decompilation
  3. SecureSWF with reasonably high settings (code execution path obfuscation and encrypted strings) should beat most decompilers. Sure, SWF can be examined with hex editor, but this will require very determined hacker.
  4. Should not be possible without decompilation
  5. API should be on server and any API function would require user context (loaded by HTTPS)

Also add encryption to flash shared objects\cookies. I had successfully altered some savegames using simple hex editor, because they were just objects in AMF format. Encryption will depend on SWF decompilation, but since we are using SecureSWF... Or move savegames on server.

alxx
  • 9,897
  • 4
  • 26
  • 41
  • It seems this is a close I'll get - thanks for that. A really good note on shared objects as well. – Marty May 01 '11 at 22:29