Forum Moderators: coopster
We want to make this as secure as possible so people can't post their own manually.
The best idea we've come up with is to MD5 the score with a predefined SALT which is hardcoded in the SWF. The score and the result hash is then posted to the API. The API MD5's the score with the same SALT the SWF has and if it matches the passed result hash, the score is confirmed to have come from the SWF and is accepted.
The only security hole we can see is if someone decompiles the SWF, gets the code, and finds this SALT and how it is used. The % of users who would do this are slim to none though, so it's a margin we are willing to accept.
My question is, do any of you have experience in this area and how do you approach what we're trying to do?
Thanks in advance.
you have chosen a value that will be unknown to the majority of your users won't know. You may run into an issue if you were offering a cash prize as the number of people decompiling would increase.
You could make this more complex but there would be no advantage because it could be gained equally from decompiling.
But I just want to ensure we get it as secure as we can, and we'll just deal with hackers if we can.
th only other thing you could look at is having the server have more control, maybe a request before sending the scores? some piece of data that the server knows but the client doesn't?
I am not sure what that might be but those are the avenues to look at if you feel you need more security.
Occam's razor applies here, and I think our original idea is the best we can do.
