Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS High Scores
- Thread starter glmonte
- Start date
- Sort by reaction score
I've implemented it by just posting a URL, but I've put an extra parameter on the url and on the submition ensure that parameter exists.. I've also put the submition page so its not linked from anywhere on my site.. its probably easy enough to hack using a network sniffer, but so far I've not had that problem. If anyone has a better solution I'd also be happy to hear it 
I strongly suggest hashing (using CRC, SHA, MD5, etc.) the URL and some shared secret (like a phrase, or a number), then checking the hash on your web server before accepting the high score.
For example, if your high score submission URL is:
http://myserver.com/game/highscore/submit?score=234598&username=Bob
You might hash the string "score=234598&username=Bob+MYSECRET" to get 994fe75b299277b7d451bea3a94dfc4a (this is an MD5 hash).
Then, the full URL to post to your webserver is:
http://myserver.com/game/highscore/...ame=Bob&hash=994fe75b299277b7d451bea3a94dfc4a
On your web server, strip off the hash code, do the MD5 hash again and check that it matches. If it doesn't, then ignore the request.
Without a simple check like this your high score submission mechanism can EASILY be abused. It is more difficult for someone to generate a valid URL without knowing your shared secret and your exact hashing mechanism. Note that if the shared secret is a string, it could be found quite easily in your binaries, so try make it not look like something obvious (like MYSECRET) - or better still, generate it from something constant that is perfectly recreatable on the web server. There are many possibilities here.
For example, if your high score submission URL is:
http://myserver.com/game/highscore/submit?score=234598&username=Bob
You might hash the string "score=234598&username=Bob+MYSECRET" to get 994fe75b299277b7d451bea3a94dfc4a (this is an MD5 hash).
Then, the full URL to post to your webserver is:
http://myserver.com/game/highscore/...ame=Bob&hash=994fe75b299277b7d451bea3a94dfc4a
On your web server, strip off the hash code, do the MD5 hash again and check that it matches. If it doesn't, then ignore the request.
Without a simple check like this your high score submission mechanism can EASILY be abused. It is more difficult for someone to generate a valid URL without knowing your shared secret and your exact hashing mechanism. Note that if the shared secret is a string, it could be found quite easily in your binaries, so try make it not look like something obvious (like MYSECRET) - or better still, generate it from something constant that is perfectly recreatable on the web server. There are many possibilities here.
I almost second mpatric's post (it's missing one piece). This is similar to the way I do high scores. It has 3 weaknesses: cracking the encryption itself (very hard), disassemblying the program from a jailbroken iphone and extracting the hash secret (very hard), and somebody resubmitting the same high score thus filling up the top 10 with the same name and score (very easy).
To fix the 3rd issue, submit a timestamp (with the timestamp included in the hash). If you see 2 of the same timestamp, drop the second request.
send hashedString along with the rest of the query.
And, on the server side, you must verify the hash (for example, in php):
To fix the 3rd issue, submit a timestamp (with the timestamp included in the hash). If you see 2 of the same timestamp, drop the second request.
Code:
#import <CommonCrypto/CommonDigest.h>
...
NSString *secretCookie = @"lksab8xd7FdjdsD3"; // CHANGE ME!!
NSTimeInterval timeInterval = [[NSDate date] timeIntervalSince1970];
long timestamp = (long)(timeInterval * 1000);
int hashSize = 20;
unsigned char hashedChars[hashSize];
NSString *strToHash = [NSString stringWithFormat:@"%@%@%d%d", username, secretCookie, score, timestamp];
CC_SHA1([strToHash UTF8String],
[strToHash lengthOfBytesUsingEncoding:NSUTF8StringEncoding], hashedChars);
NSMutableString *hashedString = [[[NSMutableString alloc] init] autorelease];
for (int i=0; i<hashSize; i++) {
[hashedString appendFormat:@"%02x", hashedChars[i]];
}send hashedString along with the rest of the query.
And, on the server side, you must verify the hash (for example, in php):
Code:
$secretCookie = "lksab8xd7FdjdsD3"; // Same as above
$hash1 = sha1($username.$secretCookie.$score.$timestamp);
if ($hash != $hash1) {
die("Hashes do not match!");
}
If you don't mind using someone elses server and being listed on their site as using it cocoslive is pretty damn good
This is a very good post, thanks for this! I was in a hurry to get my app out the door and was just doing a simple POST to a URL on my server for the high scores. Now I'll implement these ideas in my next update.
Thanks!
Thanks!