0

I am developing an iOS game that will be played with real money. The problem that I am facing is the security behind the game. First of all, the game is client-side. When the player buys into a game, a call is made to my REST API. This call logs a game transaction in MySQL and deducts from the players balance. When the game is finished, the client makes a second call to the API. This second call updates the previous transaction with new information such as a completion timestamp, cashout amount, and status. If the player won, their balance will be credited.

I know that as a developer you cannot trust the client. However, I'm at a standstill with this. I have almost the entire infrastructure coded from scratch. This infrastructure includes a cashier system, user management system, accounting system, Python multiplayer game server (also controlling cash flow), and an iOS Objective-C framework to interact with the web service. All made from scratch over a long period of time.

Yet, the client-side security is holding me back. I'm asking for any advice on what to do in my position. I can't just have someone get their API key, find out how to call the web service, and setup a fake transaction and win.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
Alec
  • 261
  • 2
  • 5
  • 2
    Alec, is there any reason you can't be doing the scoring serverside? and just use the client for interaction. If there is a reason, please edit your question to elaborate. If there is no reason, there is your answer - since you cannot trust the client, as you said. – AviD Nov 30 '15 at 08:39
  • Also, usually in casino games the payout for a win is much higher than the buy-in, therein lays the addictive draw :-) – AviD Nov 30 '15 at 08:39
  • @AviD I've currently developed 3 games. The example of mine is the even money one, the second game pays up to 40 to 1, and the other is pooled between players where I will collect a fee. – Alec Nov 30 '15 at 08:46
  • @AviD And in regards to the server-side scoring. The game uses hand-eye coordination. An object is moving and needs to be stopped on top of the object below it. I can setup my Python server to play the game from that end and send the current positions to the client, however, wouldn't there be a lag involved if a connection is poor/unstable? – Alec Nov 30 '15 at 08:49
  • @AviD Let's say the server says the object is in this position, but the client doesn't get the message until half a second later. They could lose the game because of that. – Alec Nov 30 '15 at 08:50
  • If you start with the premises of "you cannot trust the client", and "but I need to trust the client", you are left with "How can I make the security of the client **good enough**?" That is going to be extremely subjective, and thus may not end up being a good question for this forum. – TTT Nov 30 '15 at 16:26
  • 1
    It would be **very** unwise to let the client inform the server of the outcome of a game. You have no choice but to implement the game mechanics on the server. – Luke Park Dec 02 '15 at 10:21
  • @LukePark Would there be a lag between what the player sees on his screen vs. what the server says is currently happening? – Alec Dec 04 '15 at 01:15
  • There is definitely the potential to be. It depends how you implement it, among many other factors. – Luke Park Dec 04 '15 at 02:09

0 Answers0