3

I am currently building an multiplayer application game on Android, and the server-side logic is deployed using Cloud Functions, which is a server-less environment. The application logic is as follows: two users are given a question (i.e. the same one) and they both try to answer it. When one user answers the question, we check whether their answer is correct or not in server-side. This is where I am confused. Suppose that the user's answer is incorrect. The server will come to this conclusion and send back data to the client-side to notify the user that their answer is incorrect. Suppose that the client-code is as follows:

boolean is_correct_answer = getServerResponse();

In our example, the getServerResponse() will return false in this case (i.e. since the user's answer was incorrect). From what I understand, the client-side code can be manipulated, and so the value of is_correct_answer can be set to true by some hacker. Therefore, the server side validation wasn't useful at all in our example. My question, then, is: what is the proper way of validating user's answers and subsequently notifying them whether their answer was correct or not?

Apper
  • 131
  • 1
  • I dont think you are asking the correct question: since client data can be manipulated, you should ask: how to make such manipulations irrelevant? For example, if there was a score kept on the server side, there is hardly any use of displaying "you win" screen if you did not - everybody else will query the score and see that, in fact, you lost. – wondra Jan 31 '18 at 08:01

2 Answers2

1

is_correct_answer should be a public static final boolean member of an instance of a Class; something like a Question class, as opposed to a variable that gets reassigned a value more than once.

Beyond that, If this is a native Android (non-webview) application, it appears to be quite involved and difficult to alter client-side runtime values, where a user would have to alter the value stored at that memory address.

I came across some interesting approaches, attack surfaces, and more that you may want to consider at https://hackerbot.net/mobile/android

bFraley
  • 11
  • 2
1

This isn't input validation but an integrity check of the data - anything on the client should not be trusted as its outside your control domain and within an attackers if they choose.

This said what are you trying to prevent here? Any value on the client can be changed because its outside of your control - you can only be sure about validating what comes in to the server.

The other thing here is - do you think this is a likely attack, is someone really going to attack your application or is your time better spent focusing else where?

McMatty
  • 3,192
  • 1
  • 7
  • 16