0

This may be somewhat of a faugue description of my question, and I am unsure if this is best to be posted on Stackoverflow or on Super User.

My problem is the following, I am in planning stage of building an quiz ios-app. In some cases it would actually hand out physical prizes monthly, which means security must be tight enough to decrease cheating possibilities. I will build a backend in PHP, on a debian server with Apache and a certified SSL (Rapid-SSL).

My guess is that for every question, it needs to send it back and forth to the server for the server to authenticate the answer, and let the user know if the answer was correct or not. For some cases (the non-price-winning quizzes) I even want to return the correct answer.

My question is, what is the best way of doing this, security wise? Should I encode the data that is being send back and forth, and if so... how and with what (is there some common encoding type which I can use, such as base64 or similar)?

Edit
What I meant was encoding, rather then encryption. I updated the question

Also, for authentication I was thinking of using Facebook OAuth login.

Improve this question
2
  • Well if you send it over SSL, the data is already encrypted, isn't it? If that's not enough, you can additionally encrypt the data before it leaves the server and in your IOS application you decrypt it. That means you need to exchange keys between the IOS application and the server at least once so that both speak the same language. This can be a secret compiled into the IOS application plus probably some key-exchange after first signup and registration of the installation plus a key-exchange for each session plus a key exchange even per each request. Secure as it's weakest pint, the device. Commented Jan 6, 2013 at 23:36
  • Security related questions are best asked on (wait for it) ... security.stackexchange.com Commented Jan 7, 2013 at 8:51

2 Answers 2

Reset to default
1

Let me explain this in detail:

a) If you are afraid of a man in the middle attack or modification of your packet before sending to server (or receiving data from server), SSL would stop them.

b) If you want to stop hackers/debuggers/reversers, if they reverse your code and your code submits for example high score in SSL, they can also submit it easily, like this:

https://yoursite.com/submithighscore.php?score=[SCORE] even you are using https, when hacker revealed the URL, score submission method and HTTP parameters, they can also submit fake results using a simple curl command.

So in this case, you can implement an advanced encryption algorithm, like encrypting data using a known algortihm with some your application specific changes, secure your application from reversing (which is hard a little). It will stop most of hackers/reversers.

If you choose a good key-exchange algorithm and encryption schema, faking it for hackers would be hard, except injecting code or modifying your code. This time you have to take all anti-reversing measures. Even if you use a public-key encryption here without taking anti-reversing measures, hacker could inject a code in your application which will add for example X points to every submission of point, it will not take more than a single assembly instruction.

Anyway, it's hard to have a really really secure system, reversers gone reverse, code-breakers gone try to find out your encryption algorithm and try to break it. But you can also do your best to stop most of hackers.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

as far as I checked, when user don't have an answer until they submit, they can't really cheat. They should know the answer. If it's a quiz, so answer could be 4-6 possibilities. So you have to stop brute-forcing answer by users. That's easy, you can accept only first answer to question from each user. So relax. :)
Thank you for your answer. Yes, I am aware of the situation of letting the app post the results, which is not good. The app is kind of stupid that way, since it should only show what the backend tells it to. I think what I meant is not encryption, but encoding. I'll update my question.
You can encode every question with it's ID in the database, send it to user with that ID. Everytime user tries to send an answer, ios app should encode it with given ID, in server side you can decode it and verify the answer. Also as mentioned before, you should prevent brute-forcing 4-5 answers per question in server-side.
Can you elaborate the brute forcing statement. Did you mean by fetching 5 questions at the same time?
No, submitting 5 possible answer choices per answer by a user, to prevent cheating. As it is quiz, there is choices like a b c d e f, if some hacker found method of answer submission, they could send every possible answer per question. You should accept first answer per question per user.
|
1

If you are sending over SSL, the data definitely is already encrypted. Thinking about it, the biggest worry is authentication. Knowing for sure that the user that is submitting a question, is actually that user. For that, I would use simple password authentication. And because everything is over SSL, that should be enough. The biggest worry in that case is malware on the user end.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.