Time cheating prevention in mobile app

Hi,

The scenario here is, User can edit a entries only in past. User can not edit future entries. I tested to change the date time of device and I could able to edit future entries.

Any idae about time cheating prevention in mobile app ?

Hi Ali,


Outside of doing some type of call to get a time/date that is not on the device (ie.. call a REST service)- this is something that would be really hard to do.

Maybe you can implement a validation that they can only change it if they are online. You can enclose the CurrDateTime() in a server action so that it calls the platform server date instead of the device date.

HI Ali,

Generally in mobile for these cases we pick time from server or any third party API not from mobile device.

So in case of Outsystems if you are not using any third party API, simply create one server action which return current date time. Although its introduce an extra server call but I think an easy and reliable way to achieve this.

Thanks.

Thanks guys for replying.

Getting the server time via server action is good idea but here is another problem occures.

Each device might have different timezone. How can I compare UTC time with device local time. I have to take decision of Current local time for a person who have the device. Suppose person A has PST time zone and I need to allow or restrict that person according to its timezone not according to server timezone.

So that of course can be cheated as well, but a few lines of javacsript would do it.  If you are worried about them changing it on the device, that will fail. So your next option would be to get geolocation then call a server to get the time zone. This of course could be beat as well if the user used a GPS altering app.  


At the end of the day, whatever you come up with could be beat by a savvy enough user. It just depends on how much effort you want to put into trying to stop them,


Stacey

Hi Ali,

As Stacy suggested you can not stop users. After all it is their device and there are many ways to simulate the time and gps.

Ideally you should apply this condition for one time zone and that should be applied on users using server date and time.


Hi Ali,

You need to convert user's device time to UTC and then compare with Server's UTC time. For getting time zone or even time you can use network/cellular provider data.

Thanks.

Hi Ali,

When you receive Time or DateTime values from the server they will automatically be converted to local device's current timezone. No need for extra timezone conversions.

But like Stacey points out, the only way of being certain of the current timezone is to determine the device's location and from there get the corresponding timezone. Since this can also be spoofed by the user, theres no bulletproof solution to prevent the user from changing records "in the future".

Both Android and iOS provide mechanisms to notify apps of system date/time changes (Android: ACTION_TIME_CHANGED intent; iOS: NSSystemClockDidChangeNotification notification), but neither can detect if they were user changes, nor if those changes are valid (a user traveling may manually change the timezone to match the destination location). I also don't know of any plugin that would make this available in OutSystems.

Depending on your requirements/needs, what you may be able to do is something like:

  • track when the change happens (add an UpdatedOn attribute to your record, that you set to CurrDateTime() every time the user updates the record) and;
  • regularly check all records to guarantee that UpdatedOn isn't in the future, and if it is invalidate the record on the device (user had to change the system time to the future to make the change, but likely won't keep that change permanently).

Alternatively, if you can keep history of changes on your records, once you detect a change that happened in the future you roll it back to the last one that is in the past.

Hope these ramblings give you food for thought.