I want to integrate a leaderboard into my Android game. However I am undecided about using my own server or using Google's leaderboards. The one thing that will tilt my preference is whether or not the Google system authenticates scores being sent. I don't want someone to get the leaderboard ID (or some other data) and send fake scores to the board. If I make my own system (e.g. in PHP) I can at least set up a method to authenticate scores being sent to the server. E.g. by using a hashing system.
So is there any information about how Google authenticates data being send by apps?
There is no server-side score validation.
Your game can attach some extra metadata with each submission, but you (or a script) need to poll the leaderboard and manually remove bogus entries. See Google Play Game Services Management Tools.
(I've used the extra metadata in a word game attaching an anti-tamper hash as well other information about what the user actually did. I haven't caught any bogus hash-mismatched submissions, but it is a handy way to see what the top-scoring players are actually doing.)
Related
I built an app in the Android studio with kotlin like tic tac toe. I have 2 players I have offline and online. When the user wants to play online, they enter their username and clicks play. I send it to activity Waiting for the opponent and I get in firebase database userName and Uid. How I know who's the users online and they in the activity Waiting for the opponent to chose to a random user to play with each other
You need to access the sessions API from the back-end.
This should keep track of which user has an active session and which doesn't.
For example in Django you would have to make a GET request and query the REST API with the is_active method
You would be using filtering a generics.ListAPIView with a get_queryset method and (ideally) JWT authentication
Even tho I grabbed a specific example on Django, ideally learn WebSockets since it is more instantaneous than REST. Phoenix framework by Elixir is very popular with videogames' back-ends
I am writing a game where the user sends his score to a server I maintain.
I want to secure that the score has been submitted from the game app, not from a curl request or other mean of HTTP request not started by the app.
I read this entry in the Android developer blog and I thought I needed to implement this, but I'm not sure.
Along with the score, the user will send a player name typed in an EditText as his player name. This means that the users are identified with a name they choose, NOT their Google account username.
Neither the client nor the server need to access the Google user account at any time.
Is this meant to do what I want, or is it used only to guarantee that one HTTP has really been performed from the device of a specific Google user account?
What should I pass as email to the getToken(email, scope) method?
My users won't have an Android AccountManager account.
After more diving I have concluded that:
The email that GoogleAuthUtil#getToken() expects is the email of the user's Google account. This can be programmatically retrieved via the AccountPicker class. This is explained here.
I could use this method to authenticate my server calls, but I think that if I do not plan to use the user Google account information and I don't plan to use the Google Cloud endpoints, I could work with something simpler.
Moreover, If you I used this to authenticate the calls I would depend too much on Google, not being able to release the app in the Amazon market, where the user may not have a Google account (Kindle FIre).
This is an "Is this possible?" question. I have an app for the android phone and another application for the appengine platform. The appengine thing is really just a db of high scores, and the phone app is really just a game. I can, using some json/gson/httppost stuff, send the scores from the game to the db. Now I want to make sure that the scores I have collected come from the game, not some guy, maybe talented at programming but with too much time on his hands.
Here's the question. Can I use google OAuth 2.0 to somehow authenticate that the scores I'm getting come from phones running my game?
I thought I'd do this: I'd use OAuth to get some kind of token from google (from the phone), then pass that token to the appengine database (using a json record), then use the token to get info from google on the user. This could be as simple as an email address. Then I'd say to myself "Well, as long as I get an email address for the user, then I know that the user is using the game, and I can store their score." Does this sound possible? I get the feeling that once I use the phone to get the token from google, it's unusable by the appengine program.
I was thinking I'd use the client_id and client_secret, (and whatever else I needed) that were associated with the appengine db to get a token from the phone, then when I sent the token via json to the appenging program to get the email address, they'd work from appengine. This seems like somehow the google OAuth would know that I was trying to get a token from a phone, and then would reject the whole thing. Then again maybe it would work. They say though that android phones cannot keep secrets (referring to the client_secret).
Finally I was wondering if there was any other easier way of making sure that the score I was recording at the appengine side was truly coming from an android phone running my game? Can I set up my own authentication scheme? How hard is this to do?
Good timing; Google just released a feature will address your question:
http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html
Doing this is a multi-step process, which I’ll outline in full, but
here’s the short version: You use the GoogleAuthUtil class, available
through Google Play services, to retrieve a string called an “ID
Token”. You send the token to your back end and your back end can use
it to quickly and cheaply verify which app sent it and who was using
the app.
With OAuth 2.0 (Open ID connect) you can identify the user that is using your game. It seems that you want to authenticate the app though. There are multiple ways to do this, but you still have to embed the credentials in the app or create some sort of registration mechanism. Generally, as long as your attacker (skillful user) has full access to app code and the device (rooted, etc.), there is not much you can do. The only question is who hard do you want to make it.
Or you can use a third party service such as Parse, and trust that they spend some time perfecting their app authentication mechanism.
I know very little about security or servers, but am making an Android app that allows users to purchase an in-app subscription. As recommended, I want to use the Google Play Developer API and store the necessary data on my own server. However, I can't think of a way to do this without having a line in my code like
if(userIsSubscribed){
//give access to purchased data
}
A hacker could obviously go in and just flip that to if(true). What should I do instead?
Obfuscate your app code as a minimum. Also do the subscription check on the server, before you send the content. That is one of the reasons they have an Web API.
Basically, anything the user (and potential cracker) has access to (i.e., your app) cannot be trusted. Things they don't have direct access to (i.e., your content server) can be trusted a bit more and it is a good idea to move all sensitive operations and/or data there, where possible.
I am integrating the scores API for facebook in an Android game. I had the exact same problem as this question: Facebook Graph API Explorer won't POST scores. The fix was to set my app as Web instead of Native/Desktop. Is it because scores API should not be used by native games? Is it somehwat dangerous to set up Web for a Native app?
Thanks
I have noticed this too, however I wondered if it is 'by design' as to use the Facebook Scores API you need access to the app access token (in order to do things like submit scores) however this isn't considered a safe thing to use from a native application. Here is a quote:
"App Access Tokens should only be used when the posting functions are originated directly from your servers in order to keep them private to the app. For example, you should not publish using an App Access Token from within a native mobile app. Doing that could allow the user to obtain the App Access Token, which could then allow them to take actions on behalf of your app. Instead, you should have your native mobile app queue actions up with your server and then have your server publish the stories to Facebook using the App Access Token."
Here is the website in question: http://developers.facebook.com/docs/opengraph/using-app-tokens/.
So, it sounds like the only way to really use the Scores API is to have the native application securely talk to a separate, secure, server (potentially on Heroku) then once that server has verified the passed data, it would then talk to Facebook and submit the score using the app access token (which it can safely use without the user getting hold of it).
On top of this, the Facebook Scores API only supports having one score per application (not per level, per mode, etc.) scores, so in order to have anything more advanced the extra server is required anyway, so a database can be stored that maps Facebook user IDs to the various scores one wishes to score.