App ID Security

I was wondering about way to protect the App ID when connecting to photon cloud.
My main worry was to say someone modified the app to replace the App id with their own.
We are using photon realtime mainly as a relay so there isn't any server side logic.

After searching some and finding some topics
https://forum.photonengine.com/discussion/12244/security-question-about-safety-of-storing-app-id-in-project
I didn't think about someone taking our App ID and using it somewhere else.

https://forum.photonengine.com/discussion/13349/please-change-my-app-id

What is the best practice to try and secure this, as just keeping it a string is not secure, even if downloading it upon app startup it could be detected.

Is there a way to issue a temporary key or app id from an authenticating server that once the client logged in they could be given a temporary key that would let them connect.

Thanks

Comments

  • Hi, @wormsz3r

    There is no way good way to protect your AppId. Somehow it should go through the client and this is a place where it can be intercepted. Also, you may try to make it hard as possible

    the only solution I would propose is custom auth with data. Read here: https://doc.photonengine.com/en-us/server/current/applications/loadbalancing/custom-authentication#sending_data_to_server

    The scenario works like this:
    1. A client connects to your auth server
    2. the client gets some secret from it and sends it as custom auth parameter to a nameserver.
    3. everything else is as before

    But still, if someone has your source codes it may find a way for hacking. it may reattach your code to other appId

    best,
    ilya
  • Hi @wormsz3r,

    Thank you for choosing Photon!

    Adding authentication as my colleague @chvetsov suggested is a good option.

    Obfuscation and other means of hacking/tampering/cheating protection could be used.
    We have some thoughts on our Hacking Protection page.
  • Thanks guys. It was just something i was thinking of and reading some of the other posts saying keep your appid secret but keeping a string secret is going to be hard if someone wants it.

    I looked at authorization before and will have something like that as well.
    I am not really worried about the hacking of the actual packets, just someone taking our app id and using it and we end up paying for it. Or changing it to bypass our systems and auth.

    It would be a nice feature if you could add a way to have an auth server hand out encrypted or temp/session app ids that could be used when connecting. So even if they had the data, encryption would be done on the auth server and decryption would be done on the photon server side there would be no keys for them to get either. Or the auth server can generate session/temp appid's that would timeout or expire.

    Thanks
  • hi, @wormsz3r
    Because we have to identify your app on auth server somehow some kind of open uniq id will still exist.

    best,
    ilya
  • edited May 20
    @chvetsov sorry for bringing this old topic up. I am new to photon and worried about one thing. It's not about an actual player hacking and cheating my game. What if a bad developer extracts my photon AppID from my app and uses it in his app? In that case I will be charged for his users using the service. He may not have access to the dashboard of my photon app, but that developer can just keep using photon and I would have to pay for that. What are your thoughts on this subject? Please let me know.
  • Hi, @ChaserKnight

    yes, unfortunately this is possible. The only way to prevent this is usage Custom Authentication plus plug on server side. you could try to use webhooks for this but that plugin may not fit to your scenario

    best,
    ilya
Sign In or Register to comment.