actionscript 3 - Security: Achievement and score API in AS3 -

-

over years i've become uber-nerd when comes flash game development. i'm thinking looking using skills helping other game-developers out there.

i want develop api in as3 allow developer (as start) following:

  1. display dialogue lets user log "account" (hosted on site).
  2. send score/value website , attribute logged in user.
  3. unlock achievement (achievements set developer in web interface - key of type use api.
  4. display high scores, other players profiles in-game, etc (show stats in-game).

all easy enough develop straight off bat. however; becomes frustrating security. i'm not expecting indestructible solution i'm aware isn't possible, most defensive way approach this?

here issues can think on spot:

  1. the big 1 - people stealing api key via man-in-the-middle attack.
  2. highscore injection, false achievement unlocks.
  3. decompiling swf , stealing api key.
  4. using api key create dummy flash application , send random data highscores.
  5. altering api don't need logged in, etc.

one thought i've had converting api component there's no access code (unless decompile). problem here it's not friendly developers, though allow me create own graphics ui (rather coding many, many sprites).

private/public keys won't work unless there protection against decompiling.

i'm beginning wonder if idea dead end.

any advice on securing (or parts of it) great.

  1. against man-in-the-middle https seems option. may have vulnerabilities, it's way better home-made solution. problem you'll need actual certificate authorized center, because activex-based flash plugin not trust self-signed certificate.
  2. should not possible without decompilation
  3. secureswf reasonably high settings (code execution path obfuscation , encrypted strings) should beat decompilers. sure, swf can examined hex editor, require very determined hacker.
  4. should not possible without decompilation
  5. api should on server , api function require user context (loaded https)

also add encryption flash shared objects\cookies. had altered savegames using simple hex editor, because objects in amf format. encryption depend on swf decompilation, since using secureswf... or move savegames on server.


Comments

Post a Comment

Popular posts from this blog

objective c - Change font of selected text in UITextView -

-
can suggest me how change font of selected text in uitextview.i cannot use uiwebview since have edit text. have seen pages app.how possible in app. see formatting text within uilabel differently . since need editing, should @ javascript-based editors such ckeditor or tinymce . highly recommend wwdc 2011 video session 511: "rich text editing in safari on ios."
Read more

php - Accessing POST data in Facebook cavas app -

-
so i've got simple form in canvas / iframe facebook app, , i'm trying pass along values post. reading on s.o. , fb's latest docs, understand it, data send via post form can accessed on receiving end $_request object. i read on thread on s.o. in order post forms work need pass along input named "signed_request" value current signed_request (i have signed request working ok otherwise...all login , authentication stuff working fine). isnt mentioned anywhere in official fb docs. so problem comes in $_request object signed request, , bunch of other session stuff. form inputs found. the way can read them set method of form "request" isn't real form method. takes of inputs , sends them args in url. horrible. here's sample page canvas app form i'm using try debug (leaving out authentication stuff): <form enctype="application/x-www-form-urlencoded" method="post" target="_top" id="my_form" action=...
Read more

c# - Getting control value when switching a view as part of a multiview -

-
i have following code in aspx page: <asp:button id="display_button" runat="server" text="display" onclick="button1_click" /> &nbsp; <asp:button id="edit_button" runat="server" text="edit" onclick="button2_click" /> &nbsp; <asp:button id="save_button" runat="server" text="save" onclick="button3_click" visible="false" /> &nbsp; <asp:multiview id="multiview1" runat="server" activeviewindex="0"> <asp:view id="view1" runat="server"> <asp:formview id="view_program" runat="server"> <itemtemplate> <%# eval("status").tostring().trim() %> </itemtemplate> </asp:formview> </asp:view> <asp:view id="view2" runat="server"> ...
Read more