I\'m working on a always online mobile game (native android/iOS app with Unity)
ID: 660266 • Letter: I
Question
I'm working on a always online mobile game (native android/iOS app with Unity) and i would like to be able to authenticate the player without requiring any login/password at the beginning. For those who know, i try to achieve a similar authentication scheme as famous Supercell games (Clash of Clans, Boom Beach, etc..) What i have in mind:
- The very first time the user launch the game, a request to the server for a new account is done, the server send back a UUID.
- This UUID is stored in the device (should i crypt or hash it ?).
- When the user start the game i authenticate him with a token (UUID+timestamp+hmac(sha256, username+timestamp, K)). Is it better to generate a temporary session token (stored in the database) or could i use the previous token for all the requests after authentication?
- For each request i send token+params+timestamp+hmac(sha256, token+params+timestamp, K)
And every communication will be over SSL.
is it totally insecure ?
Explanation / Answer
If every connection is sent over SSL, you do not need to worry about anyone sniffing your communications. This is actually the strongest part of your system. Good job choosing something standard.
Because SSL is ensuring nobody is listening in on your communications, we should look at the endpoints. Your UUID is basically a shared secret. Anybody with this UUID will be able to imitate your users.
As for cypting it or hashing it, no. Do not bother. If they have access to your encrypted UUID, they certainly have access to the source code for your game, which would have to contain the password. Anything which could prevent an attacker from authenticating also would prevent a customer from authenticating.