0

I want to build quiz-like app.

In browser, sound is played and user have to guess what pitch is it. If answer is correct, update user score. Pitch is represented by randomly generated integer. There will be highscore table.

My question is :

Is it possible to do this fully secure (not allow for user to detect sound pitch from browser developer tools or update score by sending his own post requestss) ?

What comes to my mind :

  1. If sound pitch is generated server side, I will have to send it through browser, then user can find sound pitch e.g. in network section in chrome.
  2. If sound pitch is generated client side (in clojure), I would compare answer to generated sound pitch, and then send score-updating post request to the server. That kind of request user can easily emulate on his own.
Krzysztof Grzybek
  • 8,818
  • 2
  • 31
  • 35

2 Answers2

1

Nope it's not safe. All your files will be on the user's computer. Soundfiles, and javascript code included.

This means, a user can look into the source code to take the answers.

If you want to secure it, you should look into server side solutions.

RFLdev
  • 186
  • 9
0

You can send sound pitch from server in crypted form. If user answers the picth, decrypt the pitch in server side and match the answer. Also you can make different checks in server side which identify if user try to make something forbidden.

wiz6
  • 51
  • 7
  • I also thought about this solution, but here goes another problem - I have to play this sound on client side. So i have to pass sound pitch to the function like this: MIDI.noteOn(channel, soundPitch, velocity, delay); – Krzysztof Grzybek Dec 20 '15 at 12:25
  • What do you mean? You dont have to hold soundPitch as plain text. Pass the function argument somehow as crypted. – wiz6 Dec 20 '15 at 13:26
  • The question is 'how?' :) From what I understand, if data is crypted, I have to encrypt that to get the data - I just have to know the pitch because I want to play this sound, crypted string doesn't tell me nothing. Am I right, or I'm missing something ? – Krzysztof Grzybek Dec 20 '15 at 13:34
  • Imo, you dont need even crypting. The logic should be something like that(ajax based or not): 1. server: send random pitch to user 2. user: send answer to server 3. server: if matched, increase total and send to user and so on.. User cant answer based on pitch name. I dont see the problem..Your quiz is secure until checking is in server side. – wiz6 Dec 20 '15 at 18:41
  • But if user will see (in debugger) the pitch name sent from server to the browser he will be able to figure out what pitch it is without even hearing a note. It will be not so easy, but still. I'm looking for bullet proof solution. – Krzysztof Grzybek Dec 20 '15 at 20:58
  • How user can say real pitch name by filename? :) – wiz6 Dec 20 '15 at 21:52