Feb 20

An idea for saving game scores online for iPhone apps

Coding tricks, Web technologies, iPhone, iTouch, iPad development , , , , , , Add Comment (8)

I was reading stackoverflow and found one great idea on making client-server based high scores system for your iPhone games so as this is something we would need to develop soon, I’m posting it here so not to forget and I’ll update this post when we come up with our own solution. Actually I had a similar idea but benzado has formulated it nicely so here it is:

One idea that might be Good Enough:

  • Let Secret1, Secret2, Secret3 be any random strings.
  • Let DeviceID be the iPhone’s unique device ID.
  • Let Hash(Foo + Bar) mean I concatenate Foo and Bar and then compute a hash.

Then:

  1. The first time the app talks to the server, it makes a request for a DevicePassword. iPhone sends: DeviceID, Hash(DeviceID + Secret1)
  2. The server uses Secret1 to verify the request came from the app. If so, it generates a DevicePassword and saves the association between DeviceID and DevicePassword on the server.
  3. The server replies: DevicePassword, Hash(DevicePassword + Secret2)
  4. The app uses Secret2 to verify that the password came from the server. If so, it saves it.
  5. To submit a score, iPhone sends: DeviceID, Score, Hash(Score + DevicePassword + Secret3)
  6. The server verifies using Secret3 and the DevicePassword.

The advantage of the DevicePassword is that each device effectively has a unique secret, and if I didn’t know that it would make it harder to determine the secret by packet sniffing the submitted scores.

Also, in normal cases the app should only request a DevicePassword once per install, so you could easily identify suspicious requests for a DevicePassword or simply limit it to once per day.

Disclaimer: This solution is off the top of my head, so I can’t guarantee there isn’t a major flaw in this scheme.

Written by benzado

Currently, I’m trying to figure out the best way to make online highscores system for our clients without having to invent the bicycle. It seems however there is no great solution yet. I was looking into OpenID but the evidence that at the moment it doesn’t allow easy automated identification using the iPhone’s deviceId feature:

http://factoryjoe.com/blog/2008/01/13/the-openid-mobile-experience/

http://openid.net/pipermail/specs/2009-January/002688.html

so likely we will come up with our own solution something like Benzado mentioned above