views:

34

answers:

2

I have a flash based game that has a high score system implemented with a SOAP service. There are prizes involved and I want to prevent someone from using FireBug or similar to discover the webservice path and submit fake scores.

I considered using some kind of encryption on the data but am aware that someone could decompile the swf and work out how I did it.

I also considered using an IP whitelist but since the incoming data will come from the users IP and not the servers that won't work. (I'm sure I'm missing something obvious here...)

I know that there is a tried and tested solution for this, but I don't seem to be asking google the right questions to get to it.

Any help and suggestions will be appreciated, thank you

+4  A: 

What you want to achieve is impossible. You can only make it harder for people to do. The best you can do is to use encryption and encrypt the SWF it self, which usually causes higher filesize and poorer performance.

The safest method is to evaluate or even run the whole game on the server. You can try to determine whether what the client sends you is possible at all. Rather than making sure people use your client, you're making sure people play the game according to your rules.

greetz
back2dos

back2dos
+1  A: 

All security is based on making things hard. It never makes things impossible. How about having your game register with a separate service when it starts up. It could use client information to build some kind of special code that would be unique for each iteration of the game. The game could morph the code in a way that would be hard to emulate. Then when the game is over the score gets submitted with the morphed code and validated on the server side.

souLTower
why emulate? figure out, what data is sent and use tamperdata / firebug to modify it. unless you want to encrypt the transmission with a new encryptor generated for every session.
back2dos