I'm building a server-side API and client-side library for a JavaScript-based game where two very important features must be secured.

1. A user must be debited for each play
2. We must ensure that the score that gets submitted is the actual earned score by the player.

Solving the first problem seems simple; at the beginning of each play we hit the API, debit the user's account and return a unique Play ID. When we submit the user's score for that play, we pass the ID issued at the beginning.

The second one has me a little stumped. Initially I considered a client-side hashing algorithm based on the ID and the score, but quickly realized that the Javascript that produces the hash could easily be reverse-engineered, even if it was obfuscated. At this point I considered a small flash component that generates the hash, but I've heard that even compiled flash can be decompiled.

For added context, I plan to build the server side API in Ruby.

I'd love to hear any suggestions the clever programmers of Stack Overflow have to offer. Thanks for your time!

Edit: The answer by Homer6 below is a very good solution for more sophisticated games, but unfortunately the simplicity of this game doesn't merit a method like that. It's a very short-play time based game, so the score is just the time it takes you to complete a level.

As a rule of thumb just assume that anything in the client side can be faked.

Make the server-side part of the game.

You could make the API only receive actions in the game. So the scoring is done server-side. While this will be more intensive, it's harder to fake.

Of course, people could still write bots for it if they're clever. This also adds the latency of server interactions to the gameplay. If there's a way to make the requests non-blocking, it may work.

HTH

Download as3corelib library
Have the server generate a key
The key will be session based and will also expire X amount of minutes
All data to and from the server will be encrypted with this key

The fact that data is encrypted with a key that depreciates it makes it much more secure.

I would suggest you go ahead with your flash component, and use a good flash swf encrypter to make it more secure against decompiling. This might help : http://asgamer.com/2009/why-how-to-encrypt-your-flash-swf

expand user score to a data structure like a kind of log:

<action type="1" score="+3" totalscore="3" gamestate="depends on the game"/>
<action type="4" score="+1" totalscore="4" gamestate="depends on the game"/>

and create a server-side verification algorithm. however, taking all game logic to the server is much more secure