4

I have created this web app and I created have this API. For the sake of this example, let's keep it simple:

My app needs to know how many "credits" the user has. The api has a call get_credits that returns { credits: 1000 }

Now, how do I prevent somebody to use a hostfile (or some other method) to create his own api that returns { credits: 2000 }.

I was thinking of inserting a hash of some sort, but because it is javascript, the hash is easily extracted from the source. Same goes for a handshake I guess.

So, how do I make the api secure enough?

nizzle
  • 1,036
  • 2
  • 10
  • 23
  • 1
    The web app is controlled by you? Or the API? Or both? How can a user influence what API your web app is using? –  Oct 25 '11 at 13:24
  • Thanks guys, I know I cannot trust the app or the user, but I was hoping there was some way that I hadn't yet thought of. I appreciate all reactions. It is a game, where the amount of credits determines the available content, so I have to trust the app to determine credit authenticity. I'll try to use some obfuscation and some hasing to at least make it as difficult as possible :) Thanks! – nizzle Oct 25 '11 at 13:36

3 Answers3

3

You'll have to do it a different way, to have a really secure App. You should never trust the App, by the enduser, because perhaps the user or hacker could modify the code.

So I recommend to keep all the purchases etc. on the server. Because I don't now much about your system I can't help you very much.

It would be good, if for every item a hash is generated by the server, this hash could allow the user to display to other users, that he really purchased the item.

Please note that this hash must be long strong and unique, because otherwise users could brutforce them.

I hope you understand my and my answer can help you ;-)

evotopid
  • 5,288
  • 2
  • 26
  • 41
0

If it's client side there is not much you can do - make a best effort. BUT you must ensure that on the post back you validate the reply. Never trust users :-)

Ross Dargan
  • 5,876
  • 4
  • 40
  • 53
0

i'm now going to tell you how my system work. to get the credits during the game, i make an ajax request to load them. The ajax request call a simple php page where there is an "echo $credits;". So, it's impossible to hack. if someone modify the client-side credits, when they request a gift i check with php the server-side credits to be sure them are legitim :P - Please consider to check if you sistem is vulnerable to mysql injection attacks, to prevent someone will hack you credits system :D

Matteo Mosconi
  • 244
  • 5
  • 19