Impact

This forum is read only and just serves as an archive. If you have any questions, please post them on github.com/phoboslab/impact

9 years ago by wrondon

Hi everyone,

I tried to find some place to talk about Playtomic (playtomic.org) but I got no success in finding a community. So I'll try to put my doubt here:

Last week I installed Playtomic in my server however I am really confused about the Playtomic's Private and Public Keys.

If you check out this tutorial http://playtomic.org/server.html you will be able to see this line:

Creating game credentials
You can add game credentials from the MongoHQ dashboard in the 'games' collection. The collection will be created for you automatically the first time you upload to Heroku.

{ 
	publickey: "mypublickey", 
	privatekey: "myprivatekey", 
	leaderboards: true, 
	playerlevels: true, 
	gamevars: true, 
	geoip: true
}

So you just need to create this collection to configure the game (including private and public keys)


Now I am trying to use my Playtomic Installation and, reading the API documentation ( http://playtomic.org/api/html5.html ), the first thing I need to do is initialize it with this code:

Playtomic.initialize(publickey, privatekey, apiurl);

But wait a second. My app will contain public and private key inside of it? What could block someone to take the app's keys and makes his own server call?

Is there something I am not seeing? What could I do to become the requests safer?

Best Regards,
Wagner

9 years ago by wrondon

Common request:
/><br /> <br /> Malicious request:<br /> <img src=

9 years ago by wrondon

Hi, I talked directly with the Playtomic's creator, Ben Lowry.

Below follows his comments:

-------

Hi Wagner,

Securing api keys in your app is a tough problem that affects basically every service we use in apps. The only thing we try to defend against is casually tampering with data to insert eg fake scores but anyone who is determined to mess with your game will be able to.

There's some interesting possibilities like the way Amazon authenticates apps using a hash of the certificate you sign the app with amongst other things, but because this software is multi-platform there's no consistently secure approach like that available as far as I know.

You can add your own precautions to the api server and whatever client you use but I don't know what would secure your app, if you find anything that would help + not be specific to one platform please let me know.

Ben
Page 1 of 1
« first « previous next › last »