SSL for mobile game

Question

I'm designing the server backend for a mobile game. iPhones and Androids interact with my PHP scripts on a linux server to make API calls.

Basically the phones "know" their game id when they sign up (they are assigned one) and now that's what I'm using to authenticate. For example, if a user's phone is the moderator of the game (if their id is associated with an entry in the moderator table), they could edit the rules for that game, etc.

However, it occurs to me this is not secure. Someone could easily craft HTTP POST calls to my script and cheat at the game.

I have decided to implement SSL to encrypt messages going back and forth between phones and server. How do I find out what type of SSL certs to buy? Where can I learn to set one up? I have no experience with this. Any advice from some seasoned mobile developers on what is best/easiest/most cost effective would be beyond great.

Answer 1

What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your game and your game app will only communicate with your server. Since you control both the client (the game app) and the server, you don't need to buy anything but can rely on self-signed certificates.

Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). You can do this with the iOS client game as well, but I'm less sure of the exact method as I do primarily Android dev. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.

If someone/something other than your game attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.

A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in both Android and iOS, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.