Home/ Questions/Q 8855187
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T14:04:34+00:00

I will construct a fictional app in order to construct my question. I write

  • 0

I will construct a fictional app in order to construct my question.

I write a kind of treasure hunt app where the user gets a prize if they visit several locations around town. In effect the app would get their current lat/lon and check its proximity to the list of “treasure locations”, if they are within 10 meters of any treasure location they get a notification.

The app will then do a http post to a remote script which basically inserts into a database. The post parameters will be uuid of device and the location they visited.

An attacker could easily watch wireshark and get the name of the script along with the parameters. They could go further, decompile the apk and get other things such as any hashing/obfuscation. They could then just use curl to post willynilly as they pleased and the game would be ruined for non-cheaters. This is a problem have never had to really address since in all the apps I have written there is always data which isnt sensitive and I dont mind it being exposed to the public.

What do I do?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The best think you could do is to send the data in a secure manner. Using HTTPS would be a much better choice, regardless of method. This effectively prevents eavesdroppers, it is the fundamental technology behind any secure communication on the internet.

    Aside from the protocol to communicate with the server, there are still insecurities. Essentially, there are three methods that could work to overcome these.

    1. The location of the player could be sent to the server at some periodic interval. The server responds back if they are close enough to one of the areas. Perhaps the server could include enough smarts to know that it takes time to get from point A to point B.
    2. A single location could be sent at a time to the app. The track of the user could also be uploaded, to verify that the location is correct.
    3. The locations could be sent through a one way function to the program. The real answer could be then sent to the server. The problem with this is that the exact location would need to be discovered in order for the same hash to result back. However, as GPS coordinates tend to only be accurate to a few meters, and don’t tend to give insignificant digits, then multiple values could be tested near the current location. The one-way function would have to require some time to calculate in an effective manner, as otherwise it would be trivial for a bad guy to simply test every square meter in the city to figure out what would work.

    The best method from a security standpoint would be the first, as at no time does the application know where it is supposed to go, until it reaches that location. Of course, this pings the server a large number of times needlessly.

    • 0