App ID Security

I was wondering about way to protect the App ID when connecting to photon cloud.
My main worry was to say someone modified the app to replace the App id with their own.
We are using photon realtime mainly as a relay so there isn't any server side logic.

After searching some and finding some topics
https://forum.photonengine.com/discussion/12244/security-question-about-safety-of-storing-app-id-in-project
I didn't think about someone taking our App ID and using it somewhere else.

https://forum.photonengine.com/discussion/13349/please-change-my-app-id

What is the best practice to try and secure this, as just keeping it a string is not secure, even if downloading it upon app startup it could be detected.

Is there a way to issue a temporary key or app id from an authenticating server that once the client logged in they could be given a temporary key that would let them connect.

Thanks

Comments

  • Hi, @wormsz3r

    There is no way good way to protect your AppId. Somehow it should go through the client and this is a place where it can be intercepted. Also, you may try to make it hard as possible

    the only solution I would propose is custom auth with data. Read here: https://doc.photonengine.com/en-us/server/current/applications/loadbalancing/custom-authentication#sending_data_to_server

    The scenario works like this:
    1. A client connects to your auth server
    2. the client gets some secret from it and sends it as custom auth parameter to a nameserver.
    3. everything else is as before

    But still, if someone has your source codes it may find a way for hacking. it may reattach your code to other appId

    best,
    ilya
  • Hi @wormsz3r,

    Thank you for choosing Photon!

    Adding authentication as my colleague @chvetsov suggested is a good option.

    Obfuscation and other means of hacking/tampering/cheating protection could be used.
    We have some thoughts on our Hacking Protection page.
  • Thanks guys. It was just something i was thinking of and reading some of the other posts saying keep your appid secret but keeping a string secret is going to be hard if someone wants it.

    I looked at authorization before and will have something like that as well.
    I am not really worried about the hacking of the actual packets, just someone taking our app id and using it and we end up paying for it. Or changing it to bypass our systems and auth.

    It would be a nice feature if you could add a way to have an auth server hand out encrypted or temp/session app ids that could be used when connecting. So even if they had the data, encryption would be done on the auth server and decryption would be done on the photon server side there would be no keys for them to get either. Or the auth server can generate session/temp appid's that would timeout or expire.

    Thanks
  • hi, @wormsz3r
    Because we have to identify your app on auth server somehow some kind of open uniq id will still exist.

    best,
    ilya
Sign In or Register to comment.