Feb 20

An idea for saving game scores online for iPhone apps

Coding tricks, Web technologies, iPhone, iTouch, iPad development , , , , , ,

I was reading stackoverflow and found one great idea on making client-server based high scores system for your iPhone games so as this is something we would need to develop soon, I’m posting it here so not to forget and I’ll update this post when we come up with our own solution. Actually I had a similar idea but benzado has formulated it nicely so here it is:

One idea that might be Good Enough:

  • Let Secret1, Secret2, Secret3 be any random strings.
  • Let DeviceID be the iPhone’s unique device ID.
  • Let Hash(Foo + Bar) mean I concatenate Foo and Bar and then compute a hash.

Then:

  1. The first time the app talks to the server, it makes a request for a DevicePassword. iPhone sends: DeviceID, Hash(DeviceID + Secret1)
  2. The server uses Secret1 to verify the request came from the app. If so, it generates a DevicePassword and saves the association between DeviceID and DevicePassword on the server.
  3. The server replies: DevicePassword, Hash(DevicePassword + Secret2)
  4. The app uses Secret2 to verify that the password came from the server. If so, it saves it.
  5. To submit a score, iPhone sends: DeviceID, Score, Hash(Score + DevicePassword + Secret3)
  6. The server verifies using Secret3 and the DevicePassword.

The advantage of the DevicePassword is that each device effectively has a unique secret, and if I didn’t know that it would make it harder to determine the secret by packet sniffing the submitted scores.

Also, in normal cases the app should only request a DevicePassword once per install, so you could easily identify suspicious requests for a DevicePassword or simply limit it to once per day.

Disclaimer: This solution is off the top of my head, so I can’t guarantee there isn’t a major flaw in this scheme.

Written by benzado

Currently, I’m trying to figure out the best way to make online highscores system for our clients without having to invent the bicycle. It seems however there is no great solution yet. I was looking into OpenID but the evidence that at the moment it doesn’t allow easy automated identification using the iPhone’s deviceId feature:

http://factoryjoe.com/blog/2008/01/13/the-openid-mobile-experience/

http://openid.net/pipermail/specs/2009-January/002688.html

so likely we will come up with our own solution something like Benzado mentioned above


8 comments so far...

  • Chris Messina Said on February 21st, 2009 at 4:52:

    Sounds like you’re reinventing OAuth! Why not use the DeviceID as the consumer secret?

  • Tarass Said on April 3rd, 2009 at 13:14:

    Thanks for your comment Chris I’ve send you an e-mail some time ago did you receive it?

  • Kendall Said on April 7th, 2009 at 23:54:

    Hi, we could really use an iPhone high scoring system for our upcoming game(s).

  • Taras Said on April 15th, 2009 at 13:01:

    Hi Kendall, thanks for your comment.

    The online high scoring system is in its beta testing mode - so we are already using it for our own projects but didn’t provide a public API yet.

    If you wish I could set it up manually for your game(s) and afterwards you will get the web admin interface when it’s ready.

    So if you feel interested to participate in beta testing or becoming one of co-authors as we are still adding features etc - you’re very welcome, please let me know!

    Better contact me at:
    taras [A][T] injoit.com

    Taras

  • PHWizard Said on June 26th, 2009 at 20:33:

    Hi guys so for all of you interested please check our system at Google Code - we have decided to make it open source and free so you’re welcome to use/test/participate:

    http://code.google.com/p/igetscores/

    following the advice from Chris, we are using OAuth system for authentication

  • Injoit.com iPhone developers’ blog - Getting to know OAuth Said on June 26th, 2009 at 22:10:

    [...] want to tell a bit about how it has started. First there was a post here in our blog: http://www.injoit.com/blog/2009/02/20/an-idea-for-saving-game-scores-online-for-iphone-apps/ where I was thinking aloud on how to make a solution to store the high scores online (for our iPhone [...]

  • Travis Dunn Said on September 7th, 2009 at 11:39:

    Nice. I just wrote up a tutorial (well, part 1/2 anyway) about managing high scores in iPhone games, and this was pretty much the same implementation I settled on as a good balance of security vs. pain-in-the-ass to develop.

    I believe md5 allows you to export freely on the iPhone as well, so using that you won’t run into a surprise app store rejection.

    There are a good number of attractive leaderboard services out there now too, although (I assume) like you I’m inclined to a simple, independent solution I can full control.

    http://www.travisdunn.com/managing-local-high-scores-and-online-leaderboard-for-your-iphone-games-part-1

  • Taras Said on October 26th, 2009 at 10:40:

    Travis, thanks for your comment and for mentioning our system in your posting.

    Regarding our plans we plan to release a new web service within next weeks which will include the iGetScores as one of the modules (just HighScores) and it will also provide other modules which developers typically need such as those for GPS tracking or Push Notifications.

leave a reply