security of data stored

Posts: 164
Joined: 2010.10
Post: #1
i have an app that has an inapp purchase.
in this store i can download 1 item that consost in 10 special bullets.
now, as i download i make:
FILE *pFile=fopen("bullets.dat", "wb");        
    fprintf(pFile, "%d",numberOfBullet);
the question is:
this solution is easily hackable? (i think so)
what is the best way to store information? (i store only one integer but perhaps there is more convenient way to do it)
Quote this message in a reply
Posts: 164
Joined: 2010.10
Post: #2
looking for the question i have found:

am i over-worried?
should i care of storing this kind of information?
what would you do in your projects?
Quote this message in a reply
Posts: 6
Joined: 2011.12
Post: #3
I'm not qualified to answer your direct question but just an observation:

Your method you have showing would only track the last purchase. Why not have it read the file first to see how many they bought, then add the new purchase to that amount so they know how many they have purchased total.

Or better yet have both numbers.
Quote this message in a reply
Posts: 461
Joined: 2002.09
Post: #4
>am i over-worried? should i care of storing this kind of information?

From your description ("special bullets") it appears that this is a consumable item that can be purchased repeatedly. Personally I wouldn't worry too much about people hacking it. If they can hack it to go from demo-mode to full-game-mode, that would be more of a concern. As it is, you are already giving them the freemium game and if they enjoy it they already can play the whole thing for free (right?).

If it's a single-player game then there's even less worry. If someone wants to hack their local copy, they probably weren't going to buy anyway. As long as the game doesn't have an onlin high score list or multiplayer, let it go.

You could have the code limit the number of special bullets. If the player has more than (say) 20 bullets, that's illegal so you'd zero their bullets. And don't let them purchase a new batch until their current count is 10 or less. (The actual numbers you'd use depends on how powerful the items are and how many of them you expect the player to reasonably stockpile.) That would force the hacker to re-hack periodically, and they wouldn't be able to distribute a one-shot 999 bullet hack on the web, at least not easily.

You might consider encrypting the information, not with strong encryption, but obfuscate it in a way that makes it unlikely that someone will be able to edit it easily. You don't want to use a scheme that will always generate the same encrypted value; for example, if "20" always maps to "XYZZY" then that's not helpful. You could combine it with another stored value, for example, the player's name.

FYI if your encryption is too strong you may have import/export issues with the US government, requiring you to register your app with them. Discussed here:

There are other concerns too. Where exactly are you storing this file? (You might want to use NSUserDefaults instead.) Does the game have multiple save slots? (The # of special bullets left may have to be stored with each saved game instead. That itself can be pretty obfuscating.)

Anyway, my message is don't go overboard; the bigger challenge is getting people to care about the game in the first place.

Measure twice, cut once, curse three or four times.
Quote this message in a reply
Posts: 164
Joined: 2010.10
Post: #5
thanks for all exaustive explanation!
Quote this message in a reply
Post Reply