Hi, I have a game (can be any application) with versions that run on the iPhone and other platforms which connect back to a central server. The central server puts iPhone gamers in a separate pool from the other pools. The central server needs to be able to distinguish between the iPhone clients and the other clients. How does one do that? Simple user name, password, or configuration information does not cut it. A secret buried in the application during download will get reversed and can be easily used on non-iphone emulators. Server certificate SSL will prove to the iPhone what the server is, not the other way around. Client side SSL is still not available and even then, it is not possible to ensure any thing unless we rely on a public/private keypair intimately tied to the hardware and the private key is not readable. Is there something like that available with the iPhone? Just a bunch of questions ...
The short answer is that there is no way to be sure. The iPhone is just like any other computer, and even SSL encrypted packets can be sniffed, deconstructed, and resent from another computer. You can use SSL as well as another layer of encryption to make it harder for hackers to understand your protocol format, but if someone really wants to communicate with your server with a custom built client, there is no way to detect that. The first rule in network server design is: never trust the client.
How does Apple trust the iPhone then? Sigh; I was hoping for a better answer. Dang! How does Apple trust that it is an iPhone talking to its servers? Or does it never has to trust the client? I would have thought that Apple would have buried some secret keys in the CPU that can not be accessed directly, only for signing/encryption with the corresponding public key available for the reverse operation.
What is the purpose of this connection? I really hope it isn't for DRM or any other protection scheme. You can't count on a device always having access to the internet, even on an iPhone (I've been in buildings where the signal is dropped, and no wifi). iPods aren't always connected, especially in foreign markets. Other than that, your dilemma should be easily resolved. You need to create specific builds for each device and platform anyway...
Need it to deliver scores to the server The communication is very short. Just a back and forth to deliver scores. It is possible for me fake the server into believing the client and I can send fraudulent scores.
well then I am not sure why you aren't using a standard system, like OpenFeint. Regardless of the system that is used, fraudulent scores will always be a possibility, which it why you shouldn't rely on them to produce anything meaningful, ie. as a competitive contest.
you using php? $source = $_SERVER['HTTP_USER_AGENT']; you can check that; from a mac osx based machine (iphone et al) - its value is typically "CFNetwork" - it is one level of checking at least.
If someone is using php to hack it, curl_setopt($curl_handle, CURLOPT_USERAGENT, "CFNetwork"); will work to spoof the user agent... This is how sites like AppShopper scrape data from the iTunes store, by tricking it to think that it is the iTunes app requesting the info. There are better ways to secure high score postings, including custom encryption, token passing, and server-side data validation. I'm sure you can google it yourself...
There was a thread related to this a while ago.. http://forums.toucharcade.com/showthread.php?t=24670
you can spoof anything. point is; if you are going to have highscores - just don't run a competition through them. if you make it a value piece for someone to hack, then they will. we have rolling high scores; so, it gives people a reason post them.. it is just for boasting rights really - people like it.
+1 on that. I'd concur that it really isn't worth the time and effort to try and build a "full proof method" to prevent spoofing. It will happen. It even happens some times on OF. Just come up with something that takes reasonable precautions and you should be fine. If you do get someone hacking your boards ... you can take it as an abstract form of a compliment. It's a good sign then that people feel it's worth exerting some of that effort to hack it !