Daniel said:
My app uses a RNG and deals with real money transactions regularly.
The rng is on the server side so should be fine but there is code shared
between client and server. I dont see a way to do any major problems as
server handles the actual logic so they would only be able to hack the way
things appear on their screen and not actually the servers handling of it.
But, the fact someone can easily see my code, and spend all day if they
wanted to looking for a hole is a clear concern. If they found a hole and
exploited it, peoples accounts with real money could be effected. I cant be
more specific at this time i am afraid.
If your code has a security hole, then preventing someone running the
client from working out what it's doing isn't going to remove that
security hole. It may make it a *little* less likely to be found, but
any code which can be run can be examined. It's harder with unmanaged
code, but still possible.
So it is a concern to me. If there is no way round it my alternative would
be to rip as much as i possibly can out of client side code, and even make
duplicate lightweight copies of classes that are shared between client and
server.
Ideally, the client side code should be lighter weight anyway, IMO.
As well as many checks for malformed packets and so forth that could
be generated by a hacked client.
You should be making those checks anyway - otherwise any security flaws
would still be there. Security through obscurity is not true security.
Jon