1

--LONG VERSION--

I made a super basic REST API to handle user account management (account creation, checking login credentials, etc.) that I will call from a Unity3D game, for which I plan to support mobile (mainly android).

Players would upload drawings that they'd make with a drawing tool that exists inside of the Unity game. I made that tool for the sole purpose of preventing the possibility of someone either uploading a screenshot of a drawing that they didn't draw themselves, or someone uploading a selfie or a pornographic photo (for which I cannot allow the possibility to happen, since my game is primarily targeted to children), and those drawings can be publicly viewed by other players.

--SHORT VERSION--

To store an uploaded drawing I would use a simple $_GET['base64'], but in order to prevent disallowed images from coming in, how can I assure that the request is coming from an official android build and not, say, some cURL or a reverse-engineered Unity project?

That's the whole question.

In the case of a WebGL build I could just block any web request that is not coming from the domain that the WebGL build is in, but in the case of the android build however, as far as I know the server can't really tell a request sent by an official android build from some request sent by a cURL. And I'm pretty sure that someone, with a bit of effort, can figure out how my REST API works. I have no idea of how to effectively secure it.

I'd like some suggestions, and if you think that my current approach is terrible (and it probably is) tell me how to improve on it or what to replace it with.

BackendNoob
  • 13
  • 3
  • [Best practices for REST API security: Authentication and authorization](https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/) Think question is too broad, basic authentication strategies. Maybe you can get more reading suggestions and ask again later on some specific blocker. – ficuscr Feb 22 '22 at 22:38
  • Even in the webgl build, [a browser or other client could have spoofed headers](https://stackoverflow.com/q/21058183/1092820). Don't rely on this. – Ruzihm Feb 22 '22 at 22:48
  • The only way you can ensure that no explicit/inappropriate contents gets published would be to moderate it yourself and not publish anything by default. Even if it's a drawing though your app, you won't know what the motive is. – M. Eriksson Feb 22 '22 at 22:57
  • Did you find an answer to this question? – Ruzihm Mar 02 '22 at 22:24

1 Answers1

0

If you are serious about preventing unauthorized clients from sending images to your server the easiest way is to forget about dealing with images entirely.

Instead, I would have the clients and servers work with input data.

  1. Have the client record the inputs the user makes to create their drawing (or, if that is too much, something that approximates the outcome of their inputs, such as sequences of line segments, colors, stroke widths, sticker ids, whatever your drawing system uses). As they draw the image, replace what they just drew with your system's representation of it so they can be certain of its appearance before sending.

  2. Send, receive, and store the input data as needed

  3. When the appearance of the drawing is needed, play back the recording to reproduce the drawing.

This is essentially how Jackbox does their drawing games, for instance.

Using this method, someone could try to reproduce a vague depiction of a selfie or pornography with your API of input data BUT if you do things like limit the size of the data, limit the fidelity of the colors, limit the resolution of the start and end of the line segments, etc, the capacity for these things to be reproduced is further and further reduced until it becomes unfeasible.

Ruzihm
  • 19,749
  • 5
  • 36
  • 48