3

My friend proved it to me by taking the WP7 papertoss games and getting the .xap from it and then posting his own high scores.

Is there any fool proof way to stop this ? (I think xbox live integration makes hacking the high scores impossible but that is for special people )

Den
  • 16,686
  • 4
  • 47
  • 87
punkouter
  • 5,170
  • 15
  • 71
  • 116
  • oops.. I forgot to mention I was referring to a high score list I save on the server communicating to it with WCF services... anyone can see the .xap and send the equivalent call to do whatever they want – punkouter May 09 '11 at 15:15
  • So can anyone explain to my why this is not a problem on the iPhone ? Is it simply because thier client exe packages are not easy to decode? or something else ? – punkouter May 10 '11 at 12:42

3 Answers3

4

It depends first of all how the high-scores are sent. I can only assume that what your friend did was take the XAP and modify some internal file or track the HTTP web requests that are used to send the scores to the centralized locations. I have two recommendations for you.

  1. Encrypt. Don't keep scores in plaintext. There are plenty of strong encryption methods that you can take advantage of that will render the scoreboard useless unless the person who tries to read it has the key.

  2. If you send the scores to a web service, never send it in plaintext (once again). From my own experience I can say that web requests can be easily altered and sniffed. So if I see that the app sends http://yourservice/sendscore?user=Den&score=500, I might as well invoke http://yourservice/sendscore?user=Den&score=99999999. Same applies if you plan on using headers.

Be aware, that using the Xbox Live services is only possible if you are a registered Xbox developer, and this is not easy to get.

Den
  • 16,686
  • 4
  • 47
  • 87
  • for #1... know of any code samples on doing this ? I wish someone somewhere wrote an article discussion securing these. – punkouter May 09 '11 at 15:18
  • @punkouter - This page has some examples of encryption and decryption on WP7 - http://robtiffany.com/windows-phone-7/dont-forget-to-encrypt-your-windows-phone-7-data . – keyboardP May 09 '11 at 15:22
  • I would recommend working with AES (pretty much the same as Rijndael, which, unfortunately, is not available as RijndaelManaged on WP): http://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged%28v=VS.95%29.aspx – Den May 09 '11 at 15:26
  • this, in and of itself, doesn't make any difference if the xap isn't obfuscated enough to make it hard to use reflector (or similar) to figure out how they're making their call. – dethSwatch May 11 '11 at 19:15
  • Theoretically, no method is secure. That being said, you should not rely solely on obfuscation either. – Den May 11 '11 at 19:18
2

First of all - is a high score list really that critical that you're worried about an edge case (the common person isn't going to have a dev unlocked phone with ability to modify the *.xap file)?

Second of all, no. There's no fool-proof way to protect your high score list if it is being stored locally on the device. The only way to protect the high score list would be to store it in the cloud via a web service or some other mechanism.

Justin Niessner
  • 242,243
  • 40
  • 408
  • 536
  • I am using a web service... it seems if you can use the xbox live services it requires some sort of authentication so the high scores are not hackable.. but that is not for the average dev – punkouter May 09 '11 at 15:16
  • @punkouter - If you're using a webservice to post high scores, then it's your fault for not properly protecting your web service (via some form of authentication). – Justin Niessner May 09 '11 at 15:18
2

It is tricky to have a secure high score system since users can always modify information on the client side. It's impossible to prevent a determined hacker from looking at your code, but you can make it more difficult by obfuscating your code. PreEmptive's Dotfuscator is currently free for Windows Phone 7 developers and also has analytics built in if you want to use it. This will obfuscate your code and make it harder to read your code. Although it's not fool proof, it's an extra hurdle for hackers to overcome.

The obfuscation would make it harder to find the encryption key you're using to authenticate the high score.

keyboardP
  • 68,824
  • 13
  • 156
  • 205
  • ok.. so basically the steps to make the high score list secure as possible is ONE to encrypt the high score table and TWO to obfuscate the .net code. right ? – punkouter May 09 '11 at 15:18
  • Yup. You'll never achieve 100% security, but raising the bar slightly will put off the less determined hackers. As Dennis says, you should encrypt the information you send with a key that is obfuscated. – keyboardP May 09 '11 at 15:20