App ID Security

I was wondering about way to protect the App ID when connecting to photon cloud.
My main worry was to say someone modified the app to replace the App id with their own.
We are using photon realtime mainly as a relay so there isn't any server side logic.

After searching some and finding some topics
https://forum.photonengine.com/discussion/12244/security-question-about-safety-of-storing-app-id-in-project
I didn't think about someone taking our App ID and using it somewhere else.

https://forum.photonengine.com/discussion/13349/please-change-my-app-id

What is the best practice to try and secure this, as just keeping it a string is not secure, even if downloading it upon app startup it could be detected.

Is there a way to issue a temporary key or app id from an authenticating server that once the client logged in they could be given a temporary key that would let them connect.

Thanks

Comments

  • Hi, @wormsz3r

    There is no way good way to protect your AppId. Somehow it should go through the client and this is a place where it can be intercepted. Also, you may try to make it hard as possible

    the only solution I would propose is custom auth with data. Read here: https://doc.photonengine.com/en-us/server/current/applications/loadbalancing/custom-authentication#sending_data_to_server

    The scenario works like this:
    1. A client connects to your auth server
    2. the client gets some secret from it and sends it as custom auth parameter to a nameserver.
    3. everything else is as before

    But still, if someone has your source codes it may find a way for hacking. it may reattach your code to other appId

    best,
    ilya
  • JohnTube
    JohnTube ✭✭✭✭✭
    Hi @wormsz3r,

    Thank you for choosing Photon!

    Adding authentication as my colleague @chvetsov suggested is a good option.

    Obfuscation and other means of hacking/tampering/cheating protection could be used.
    We have some thoughts on our Hacking Protection page.
  • Thanks guys. It was just something i was thinking of and reading some of the other posts saying keep your appid secret but keeping a string secret is going to be hard if someone wants it.

    I looked at authorization before and will have something like that as well.
    I am not really worried about the hacking of the actual packets, just someone taking our app id and using it and we end up paying for it. Or changing it to bypass our systems and auth.

    It would be a nice feature if you could add a way to have an auth server hand out encrypted or temp/session app ids that could be used when connecting. So even if they had the data, encryption would be done on the auth server and decryption would be done on the photon server side there would be no keys for them to get either. Or the auth server can generate session/temp appid's that would timeout or expire.

    Thanks
  • hi, @wormsz3r
    Because we have to identify your app on auth server somehow some kind of open uniq id will still exist.

    best,
    ilya
  • ChaserKnight
    edited May 2020
    @chvetsov sorry for bringing this old topic up. I am new to photon and worried about one thing. It's not about an actual player hacking and cheating my game. What if a bad developer extracts my photon AppID from my app and uses it in his app? In that case I will be charged for his users using the service. He may not have access to the dashboard of my photon app, but that developer can just keep using photon and I would have to pay for that. What are your thoughts on this subject? Please let me know.
  • Hi, @ChaserKnight

    yes, unfortunately this is possible. The only way to prevent this is usage Custom Authentication plus plug on server side. you could try to use webhooks for this but that plugin may not fit to your scenario

    best,
    ilya
  • @chvetsov I have done some more work since my original question. And now I am using playfab with their photon integration. But since its basically a free to play game building on @ChaserKnight then technically the bad developer could just apply for a free device account on playfab and then could still use our app id to spoof us.

    My hope was to create a cloud code version of the authentication where the APP id is embedded in the server code and the client app would never need it as the Auth Token would be enough. But even using the external auth I still have to pass it to the photon SDK client side to connect.

    My plan now is to still do the cloud code but probably have it return the Auth token and the App id from the server. At least then the App id is not baked into the client app, possibly making it a little harder to extract.

    Is this even an issue you have run across? Are there things in place on Photon's side that if this would occur we can resolve it or modify costs etc? Or are we as the developer on the hook even if we get exploited.

    Thanks
  • hi, @wormsz3r

    your idea is working, but you know guys we do not know anyone who had the issue you are afraid of. Our service is online around 10 years. the only solution we propose is custom auth.

    so, if you will have such issues after implementation of custom auth, than write us we will look for solution.

    best,
    ilya
  • Steven
    Steven
    edited April 2021
    Does anyone know if there is a way to password protect the creation of rooms? We would like to set up our system so that only our server creates rooms, and players can join those rooms, but the client that the player has does not know the password to create a room, therefore preventing an attacker from using our App ID to run their own game. Is there any functionality like this?

    @chvetsov
  • @Steven you have to use plugin. then it may check whether create game request contains correct parameters. For instance your request could contains some properties that will be removed during game creation

    best,
    ilya
  • Thanks @chvetsov
    Can you add a link to the plugin you're referring to?
  • JohnTube
    JohnTube ✭✭✭✭✭
    Hi @Steven,

    Thank you for choosing Photon!

    here it is: docs, sdk
  • Hi Everyone,
    I want to use Photon but this issue (securing app ID) is something I need to think about.
    My games will be HTML5 to be played on browsers. My AppID is hardcoded, so it is easy to find my AppID.

    I'm thinking if there is a way to configure my APP on the Photon side to accept traffic/request/connection from my website domin only (i.e.: only from https://mydomin.com), in this case even if someone has my AppID he still needs to run his code from my webserver which impossible for him, is that possible?
  • hi, @tnageleweb

    the only approach that we can propose is Custom Auth. Your legimate client can send request to your backend and get some hash from there. Than you use it as parameter for custom auth request

    best,
    ilya
  • Thanks @chvetsov mod for your reply, so I understand that there is no way to directly configure from the Photon side to accept/reject requests based on their 'origin' value. Am I correct?
  • yes, you are correct

    best,
    ilya
  • Thank you
  • Sorry for bump the old thread.

    Im wondering in we can have something in dashboard to allow more protection with appid.

    Like admob uses our domain with some txt i think Photon could add something like that.

    For example our client must check some string in our domain or our app id must be the same package name from the store if its android etc...

    Sorry if feel stupid, is only a suggestion from a noob using photon, idont know if i have to worries too much about my app id because we have an small community players.

  • Not sure I am following. You would need to explain in more detail what you intend to check where.

    Remember - any checks in the client are mostly useless, as they can be hacked/removed.

    Your first line of defense still is adding authentication to your app.

  • Thanks, im totally noob with photon, and i dont want to see my appid hacked and requested to pay for thousand of players not from my game.

    Also, doing a login window for players is every time a barrier, i only want to make fast and funny custom party only choosing server.

    Anyway, where can i find a tutorial to do OAuth with google and photon or using playfab?