Start a new topic

Hash Secret, hashing, what this really means?

I am having trouble to figure out what Hash Secret(event hashing) really means?

Will I have problems if disabling or enabling it?

When should I use it?

Thanks.


Hi Luigi Garcia,


With event hashing you can make sure that the event has not been tampered with by a MITM attack.

 Say we have the following event:   

{
 "eventName":"hashExampleEvent",
 "userID":"User1",
 "sessionID":"4879bf37-8566-46ce-9f3b-bd18d6ac614e",
 "eventTimestamp":"yyyy-mm-dd hh:mm:ss.SSS",
 "eventParams":
  {
   "platform":"WEB",
  },
}

 And this hash secret:

IJJiwHASH_SECRETiwiuOUH

What we will do is for every event received we will add the hash_secret to the JSON string received and create an md5 hash: c57de68a9d722221f506506e14eeb405


Then we expect you do do the same before you send the event and send it to us in the following format:

POST: http://<COLLECT API URL>/collect/api/<Environment Key>/hash/c57de68a9d722221f506506e14eeb405

BODY:

{

 "eventName":"hashExampleEvent",

 "userID":"User1",

 "sessionID":"4879bf37-8566-46ce-9f3b-bd18d6ac614e",

 "eventTimestamp":"yyyy-mm-dd hh:mm:ss.SSS",

 "eventParams":

  {

   "platform":"WEB",

  },

}


We will then return a status code 403 if the hash you are sending in the url is not what we expect it to be.


Downsides are: 

  • If your game code can be read by end users they might be able to acquire the hash secret, if this happens the events might still have been tampered with.
  • Since all events will need to be hashed this can be a performance issue on devices with very little power.
  • This will complicate sending events for testing purposes by adding a few steps.


If you enable it you will need to send events in this format instead, this might cause existing implementations to be a problem.


I hope this answers your questions.


1 person likes this

Great! Thanks Steven.

Login or Signup to post a comment