Mobile app scores verification

Question

I was wondering if anyone could point me in the right direction here?

I have a mobile app running on iOS and Android which submits scores to a website/service where there will be prizes up for grabs for top players.

The web service needs to be absolutely sure the score submitting player has/is actually playing the game and isn't just submitting boosted scores in order to top the tables.

What would be best way to achieve this?

Answer 1

You should use a key or token to identify a real player. When they create an account with your server, send back a token that uniquely identifies that player. Everytime they use your web service to submit a score, if their token is valid, send them a different one, and keep track of what you're expecting next submission, if for any reason you're sent back the wrong token, you can return a fault string or simply not update scores.

You should keep a log of which accounts are accessing your service and when, this way you can spot if someone is trying to mess with your WS, and if any score gets through that is not legit (which is highly doubtful if you use tokens), then you can take appropriate measures.

Answer 2

If I understand your question correctly, my thoughts:

Each user should have their own token, known only to the app that needs passing to the service. Also, the app should send some MD5 hashed value of the score + date + a random string that can be verified on the server too.