A bit of background info:
I am building a geolocation based game for Android
The server-side is coded in php
Certain in-game actions requires the client application to send the current latitude and longitude to the server
Is there any way to prevent the user from tampering with the location data being sent to the server?
Please let me know if you need more information
Thank you,
EDIT: I understand there will be workaround to any security measure I implement, but how can I make it harder for users to modify the data being communicated to the server
The short answer is no. They will always be able to fiddle their device or application to send you what they want, because they control it.
Well, to some extent. You could consider using public key cryptography to make sure the message sent from your app has not been modified in between. That will prevent people from using a simple proxy to capture the data you're sending. The easiest way to do this is by using SSL.
What JVerstry means is that you would always be able to modify the app or control whatever the device is telling your app about the location. And no, there is no way of getting around that.
Related
Recently my game has been hacked and one user submitted an impossible score to the server. The score was submitted with a verified checksum, and correct data.
I'm convinced that the user must have reverse engineered my APK file to find the POST request.
Now I wonder what would be a good way to prevent this from happening again and I thought about verifying the SHA1 signature of the app. Maybe this way I can make sure that the app is signed by me, and is not a reverse engineered and changed version of the app.
Would this be possible? Or would there be a better solution to solve this?
I am using LibGDX by the way.
First of all, you really have to obfuscate your code. You can find more information about ProGuard and code obfuscation here.
Second of all, you can use GoogleAuthUtil available in Google Play Services, which is available for devices running Android 2.2 or higher.
GoogleAuthUtil does exactly what you need:
Your client server calls go to Google via a HTTPS request, Google checks whether or not the call is made by an app signed with your release certificate, and then it sends the request to your server.
You can find official tutorials about how to implement this here and official documentation here.
Cheers!
1) Use code obfuscation for ex. Proguard. This kind of tools available not only for Java.
But be careful with that - obfuscated code may work slowly or contain additional bugs.
2) Add App Licencing check (this will check app signature with Google Play):
Watch this video with attention:
https://www.youtube.com/watch?v=TnSNCXR9fbY
As I remember he mention technics used at runtime to verify your app not hacked or modified (zip check, etc).
3) Make sure your app/server use secure connection (SSL/TLS) only with MODERN cipher suites. This will mitigate downgrade attacks.
You can use this generator to build config with MODERN cipher suites for your server:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Also you can use certificate pining on client side - this will mitigate authority attack.
Do not use plain HTTP connection.
4) Use some kind of request signing (like Amazon AWS does)
You can get core idea from their docs.
http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Also this article should be helpful.
5) Prohibit usage of your app on ROOT'ed devices by adding run time check. Because of on rooted phone it's easier to hack or analyze your app.
6) You can decrease fraud by adding some ban system to your online game - if somebody hack your app and send wrong data to your server => add this user to ban list on server side (by IP or by user ID, etc). Probably add users to this list temporary (ex 24 hr, 7 days)
7) + if you are using Json/XML as data formats for network layer try to use binary format like Protocol Buffers. Binary serialization formats more efficient and hard to reverse engineer.
If you want to verify the signature of your app without the possibility that this is cracked too, you would have to upload the whole apk and make the check on a server. This is not a practicable solution.
The only secure android app is a pure terminal app, which means you'd have to do all computing on a server. Most of the time this won't be possible because of latency.
That's why we Android developers have to live with this: an app is not 100% secure.
But you can get close to it.
You might want to read Security with HTTPS and SSL guide for securing your communication.
Also you'll want to ensure your client is hard to crack: android app piracy prevention and Combating Android App Piracy: Xposed
In your case you'll also want to implement server-side request validation:
If you have a game with a server side, users probably have an account. If a user sends a clearly impossible score, automatically disregard the request and ban the user (and his ip). (But also have in mind that this should never happen to a valid request, otherwise users might get angry and stop playing.)
You can obfuscate your code better and use some very obfuscated secret to sign your requests. With that you can increase security.
But if all your game run in client it can't be completely secure. Because it doesn't matter what you use to sign, if you do it in client it means you have the secret or private key in client and then it can be hacked.
To make it more secure you need to involve some game logic in server and then control in that logic that the user isn't cheating.
Verifying the integrity of your app won't be enough, since the request can be easily faked outside the app or modified in memory on the fly, using a rooted android environment. Even more, you cannot totally avoid it.
This is a problem shared by all applications running in a machine out of your control (all client applications). You can't never trust the data coming from them.
As I can see it, you have several choices:
Obfuscate the code and make the app more difficult to be reverse-engineered. Notice that this do not solve the problem, but minimizes it.
Move processing to the server. The more game-play is controlled by the server, the less vulnerable you app would be to this malicious behavior.
Automatically detect impossible scores and close their accounts
Cheers,
I am going to develop uber-like application.Here I have to send latitude and longitude to web and mobile devices continuously with my service,What I have do to get this.
Can anyone please give some idea.
You should start by designing how the application is to be used, seen from all the different users perspectives.
For instance is this a web app, or a native app, or both?
Then from that knowledge, you need to define a communication protocol.
You should be able to determine if the client will be polling for data, or if you need to push it from the server onto the clients.
This also goes for the data that travels the other way.
From here you choose a language for programming, and then start doing some proof of concept tests.
The choice will depend on the chosen underlying technologies
(web / native / os / available libraries)
After some test work you may have something that works, then you need to review or add security to the communication, cause we do not want everyone collecting location data from everyone that has the app installed.
Then run beta trials and eliminate the worst bugs, and then release the app.
You'll want some sort of asynchronous task which can get new data from your server and refresh the mobile and web content to reflect the content of the server. You'll also want to notify the server whenever you make local changes to content and want to reflect those changes. Android provides the SyncAdapter pattern as a way to easily solve this pattern. You'll need to register user accounts, and then Android will perform lots of magic for you, and allow you to automatically sync. Here's a good tutorial: http://www.c99.org/2010/01/23/writing-an-android-sync-provider-part-1/
I would like to connect a Java application to the Nest-Cloud via the Firebase-Api. The application is as simple as reading the setpoint of a nest thermostat.
I spent a lot of time on developer.nest.com and firebase.com to find the required information, but failed.
What is actually the base url, where the firebase is located? seems not to be home.nest.com
How can I authenticate without user interaction? I tried FirebaseSimpleLogin, but the implementation depens on Android, which is not my platform.
Thanks for your help.
For 1) I don't know for sure, but have you tried https://api.home.nest.com and https://developer-api.nest.com?
2) The user has to authenticate and allow the client you're developing at least once. You'll need to get an authorization code, which you get from the client page on the Nest developer site. The code is six characters I think, and you'll have to include that in your code or assign to a variable and call it.
Take a look at another entry I made. If nothing else, it might help you get a little farther down your rabbit trail.
Now, I have some problems here:
I looked several times in Google and so on, but I can't find an "easy" way to get this done. And currently having a migraine... not helping me... though
I have a java eclipse program (Swing application to be a "controller" for production-machines).
I need to design an Android app, which needs to take data from the eclipse program in a wireless network (and also send them back).
Just found solutions like JPARSON or setting up a real server, but that is way too complicated... i donĀ“t need?! (or want :D ) to set up a whole website with php or something...
Can someone of you help me out with a better solution? It doesn't need to be code-specific, I just want to exchange like 10 strings for these machines.
If you want to exchange data you need a communication medium. The easiest way to do this is via TCP/IP protocol suite. If you decide on having a Server-Client architecture, your serwer has to listen for what phones have to say. He can do this by listening on specified port and you would have to handle "protocol", or you can use somewhat easier approach which is to write php script, or Java Servlet. PHP script is easier becaouse there is like a gazzilion php hosting providers and it's cheap. If you would like to write your own serwer, you wold need some sort of Virtual Private Server, and deploy your app there. Plus it would be helpfull if you explained a little more your environment and what you are trying to achive.
There's built in httpserver http://docs.oracle.com/javase/6/docs/jre/api/net/httpserver/spec/index.html so you can easily implement a simple webservice in standalone java. Then just use URLConnection from android to post/get data, probably in json or your own format.
I'm working on an app that requires users to register in order to use the features.
I need to ensure that users are who they say they are so I want to use some type of verification process, e.g. email or text verification.
The best solution would be to receive a text or email after registration with a code. This code can then be entered into the application to verify the login.
I know of GMailSender but that is as far as my knowledge would go for this type of situation.
I have no idea where to start with this and have researched a lot.
Any help would be great
Thanks :)
Manually entering a code received by email would be annoying for users and they are highly likely to abandon a process that forces this upon them. Also from experience, emails are so often caught in spam traps and not received.
You should make it as easy and non intrusive as possible.
e.g
Use the device's built in Google account to register with your server (after obtaining user permission of course).
On the server side perform the registration and return a code to the app.
Use the code returned by the server directly in the app to enable whatever features you see fit.
The above example would be a one click process and would require no manual code entry.