The "High Score" Problem

[Ricky158]

I've been doing a lot of research on this topic recently and I'm sort
of stuck. For those who don't know about this type of problem, it is
the security concern that communication between Flex (a Flash
front-end application) and a server through PHP is thinly-veiled and
prone to attack. Specifically, when a Flash game tries to tell the
server that a user got a high score, an attacker can find a way to
fake this high score and achieve the best score (sometimes resulting
in a cash prize).

The measures that I've been studying seem to only get in the way for
attackers, but not thwart them entirely. For example, one could simply
encrypt the data that is passed to a PHP file, but the Flash
application can be decompiled and the encryption technique is
discovered. Alternatively, one could obfuscate the application, making
the decompilation produce jargon, but this too can be translated into
human-readable text. A server can check data for feasibility by using
a timer to detect super-fast computer-generated PHP POSTs, but this
too can be overridden by slowing down the auto-POSTs. This is the case
for other "human" feasibility checks. If the server checks the POST
headers, they too can be faked by proxies.

Is the simple conclusion that Flash applications are inherently
transparent? There is no such thing as Flash application security?
Does SSL patch any of these risks?

How can a "high score" problem be overcome?

[NancyJ]

I'm no expert on flash or flex but it seems to me a simple way would be to have the php file pass a variable to the flash/flex program and then have that information be sent back to the php file when the score is saved - if the values don't match then the score isn't recorded.

If the flash file is decompiled, the file doesn't contain the value that needs to be sent.

Just an idea.

[Ricky158]

Quote:

Originally Posted by NancyJ

I'm no expert on flash or flex but it seems to me a simple way would be to have the php file pass a variable to the flash/flex program and then have that information be sent back to the php file when the score is saved - if the values don't match then the score isn't recorded.

If the flash file is decompiled, the file doesn't contain the value that needs to be sent.

Just an idea.

The problem with that is that a person can be watching their HTTP Headers and just grab that variable in transit. The person can then fake a POST and include both the variable and their new "high score".

[gnomeontherun]

Nothing is completely secure...

You could put layers between the application and the server, perhaps some method of checking variables. I know a smart person will always unravel the layers, but the more you put the harder it gets.

This isn't necessarily a flash/flex issue, if you can send a variable via POST to any script someone could try to interject their own into it.

Very good question though...maybe ask it in the section where PHP people can read it too.

[vahsi000]

i'm not sure how helpful my suggestions will be but here goes...
I agree with jeremy, if a hacker really wants to get that prize they will but it also depends on how much the cash prize is (or whatever the value of the item). If it's something small valued less than $100 you shouldn't worry too much about it, just get some encryption happening.

Otherwise I really think a combination of PHP SSL & Cookies will get you a good amount of security, as I know a lot of shopping cart systems use SSL to handshake with the browser to prevent hackers from stealling information.

Finally if it's a really big some of $$$ then i would most likely look into another technology, shockwave maybe?

[kaydara]

how about is you pass your request with some encryption ?

[Ricky158]

Quote:

Originally Posted by kaydara

how about is you pass your request with some encryption ?

Then the encryption method is publicly known, as any SWF can be decompiled into its source code.