Forum PayVault PayVault Refresh > Response not encrypted

Discussion and help relating to the PlayerIO payment solution, PayVault.

PayVault Refresh > Response not encrypted

Postby Guillaume » January 28th, 2015, 6:49 pm

Hello Henrik,

Thanks to your previous advice, i managed to get my game working in SSL for Client calls and Multiplayer Server calls.
Everything is working fine, i can see that my requests are sent from my Flash Game with HTTPS.

However, if i look in my Chrome Developer Tools, i can see that all content sent from Clients calls are not encrypted in the response.
I know that external user's cant read in the packet, but the current player can see its returned data from Debug Tools.

On the other side, i see that if i do my stuff from Multiplayer Server calls and then return the values, it seem that the content is encrypted, maybe in a Base64 String ? (I don't know).

Is there any way to hide the returned values from Client calls (like Payvault Refresh for exemple) ?
If not, do you think my only way is to manage to call all theses things from ServerSide and manage this my self...And maybe adding some extra encryption logic of course.

The goal is to have only encrypted response, even in SSL, so it would be more difficult to know what the game is actually sending.

Thank you in advance !

Guillaume.
Guillaume
 
Posts: 277
Joined: March 28th, 2014, 1:59 am
Location: France

Re: PayVault Refresh > Response not encrypted

Postby Henrik » January 28th, 2015, 7:57 pm

Nothing prevents a user from downloading our SDK, making a "game" that pretends to be your game, authenticates as himself, and then freely look at all the data that is available client-side to him. The SSL encryption is to prevent others from looking at the data in transit, but you can't hide the data from the actual end-user.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: PayVault Refresh > Response not encrypted

Postby Guillaume » January 28th, 2015, 8:13 pm

Thanks for your answer !

I understand. Then, to increase security, do you think that it would be good for me to encrypt transited data ?
I mean, i understand that someone can make a game and authenticate as itself but in order to see my data structure it would require:

- My Auth Hash
- My PlayerIO game Id
- My Encryption logic if i make one

Of course, nothing can be safe on client side, but it would require to the user/hacker to Decompile my game to know theses informations. And if i can implement a good obfuscation for my project, it will make this harder.

This way, user can't just see what go through the internet just by right clicking and seeing Network Packets in his browser.
What do you think about this ?
Guillaume
 
Posts: 277
Joined: March 28th, 2014, 1:59 am
Location: France

Re: PayVault Refresh > Response not encrypted

Postby Henrik » January 29th, 2015, 8:08 pm

I think that would be wasted effort, because a determined hacker can reverse-engineer it very easily, and it only needs to be done once for everyone to be able to view the traffic in cleartext. You are better off implementing sanity-checks server-side so it doesn't matter if people see the traffic, and so that it will detect spoofing attempts.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: PayVault Refresh > Response not encrypted

Postby Guillaume » January 29th, 2015, 10:04 pm

Thanks for the answer ! I will think in this way.

Otherwise, i have found a little bug in the API, you may correct in a next version, on the C# version:

1- PlayerIO.UseSecureApiRequests = true and client.Multiplayer.UseSecureConnections = false : OK
2- PlayerIO.UseSecureApiRequests = false and client.Multiplayer.UseSecureConnections = true : OK
3- PlayerIO.UseSecureApiRequests = true and client.Multiplayer.UseSecureConnections = true : KO !

Of course the last case may look dumb, but it took me some minutes to figure why PlayerIO API was not working on me client.
In the scenario 3, local client request work (i think) but any Multiplayer request made, like CreateJoinRoom etc, will hang, there is no success or error callback called in this case.

I have assumed that if i use PlayerIO.UseSecureApiRequests, i don't need client.Multiplayer.UseSecureConnections for the Socket version, right ? Can you validate me that my socket request will be encrypted even if "UseSecureConnections" is on false, because "UseSecureApiRequests" is true ?

Again, that concern only the Unity3D/C# version.

Thanks !
Guillaume
 
Posts: 277
Joined: March 28th, 2014, 1:59 am
Location: France


Return to PayVault



cron