Was wondering if anybody knew of a way to prevent users from tampering with highscores if a local JSON file was used to store the data.
I saw a post on coronageek (http://coronageek.com/1250/number-tap/) about an app that used a JSON file which would reset itself if values were changed outside of the app, and was wondering if anybody knew how to accomplish this.
You could look at doing like an MD5 hash of your json data and storing that hash somewhere and when you read the json data back in, if it’s MD5 hash doesn’t match what’s stored, then it’s been tampered with. But then if I’m going to the trouble to hack your app to change the scores, I’d probably see the MD5 hash and regenerate it too.
To beat this you would need to add some “Salt” (I think that’s the right term) where your MD5 hash of the file isn’t purely that file, but your file + some other data that a hacker wouldn’t know about. So if they just generated a straight MD5 hash of the file, they wouldn’t know what salt value you used and the MD5’s wouldn’t match afterwards.
I use a pseudo encryption lib I created to make the data unreadable. I also use a hash to verify tampering.
You could probably encrypt it using the OpenSSL plugin.
I’m using OpenSSL, check http://www.coronalabs.com/blog/2013/06/11/tutorial-using-the-openssl-plugin/
Thanks for the responses everyone, I’ll have to look into these further when I get the chance, but I appreciate your help!
Made an attempt at using OpenSSL, I’ve got it working in the simulator correctly but when I attempt to create a build I get an error: “You are not currently subscribed to the following plugins com.coronalabs:plugin.openssl.”
I’ve attempt to make a build with the OpenSSL sample code as well, and I’m getting the same error so I don’t think its my code.
Anybody else experiencing this same issue?
The OpenSSL is for Pro and Enterprise level subscribers only.
Rob
You could look at doing like an MD5 hash of your json data and storing that hash somewhere and when you read the json data back in, if it’s MD5 hash doesn’t match what’s stored, then it’s been tampered with. But then if I’m going to the trouble to hack your app to change the scores, I’d probably see the MD5 hash and regenerate it too.
To beat this you would need to add some “Salt” (I think that’s the right term) where your MD5 hash of the file isn’t purely that file, but your file + some other data that a hacker wouldn’t know about. So if they just generated a straight MD5 hash of the file, they wouldn’t know what salt value you used and the MD5’s wouldn’t match afterwards.
I use a pseudo encryption lib I created to make the data unreadable. I also use a hash to verify tampering.
You could probably encrypt it using the OpenSSL plugin.
I’m using OpenSSL, check http://www.coronalabs.com/blog/2013/06/11/tutorial-using-the-openssl-plugin/
Thanks for the responses everyone, I’ll have to look into these further when I get the chance, but I appreciate your help!
Made an attempt at using OpenSSL, I’ve got it working in the simulator correctly but when I attempt to create a build I get an error: “You are not currently subscribed to the following plugins com.coronalabs:plugin.openssl.”
I’ve attempt to make a build with the OpenSSL sample code as well, and I’m getting the same error so I don’t think its my code.
Anybody else experiencing this same issue?
The OpenSSL is for Pro and Enterprise level subscribers only.
Rob