算法:在 python 脚本中停止无效的竞赛条目
我有一个 Android 移动应用程序,它实际上只是一个日历和日历。您可以单击某个日期&弹出一个密码。用户使用该代码参加比赛 - 他们按照链接进入比赛 HTML 页面(实际上是 python 脚本)&输入他们的详细信息以参加比赛。有 100 个小奖和 100 个小奖。 3个主要奖项。代码可以是非获奖代码,也可以为用户赢得奖品(小奖或大奖)。
因此它们将被重定向到: http://mycompetition.com/comp.py?code=ABCDEF< /a>
然后他们输入年龄、代码和密码。图像验证码(避免垃圾邮件发送者)和点击进入比赛。
我的问题:我很难想出一种算法来确保人们不会输入上述 URL 和内容。为 CGI 'code' 值设置一个随机代码值 &如果他们猜出正确的代码(或者他们使用机器人继续尝试),就会意外地赢得奖品。
您能想出一些办法来避免未购买该应用程序的人直接访问上面的网址吗?输入随机代码&一不小心就中奖了?
我的算法/想法:
- 代码长度为 12 个字符,这使得猜测代码的可能性非常小,但仍然有可能。我数学不好概率所以如果我使用 26 个字符 &代码中的 10 位数字作为潜在字符是否意味着(36 个字符 * 12 个通行证长度 * 103 个奖品)中猜对 1 个的概率?这种概率是否只有超级计算机(并不是说我相信任何人都会为我的电脑奉献一台超级计算机:P)能够猜出代码?
- 不要将奖品与代码关联起来。相反,只需让 Android 应用程序随机生成一些没有任何意义的代码即可。当他们参加比赛时,我只是随机给他们 1/10000(我不希望有接近 10000 人参加比赛)的奖励。要参加比赛,您必须输入您的年龄和年龄。代码 &然后输入验证码以避免垃圾邮件发送者。
- 您知道有没有更简单的算法可以避免未购买该应用程序的用户获得奖品?
编辑: - 每当下载应用程序时我都会查看他们的手机(无线部分)MAC 地址。第一次运行该应用程序时,我将该 MAC 地址上传到我的服务器,其中包含我的应用程序用户的 MAC 地址列表。当/如果他们发现密码时,他们会点击参加比赛并获得密码。被重定向到 http://mycompetition.com/comp.py?code=RANDOMMEANINGLESSGENERATEDCODE& uniqueID=USERSMACADDDRESS。在我的脚本中,我检查 uniqueID 是否在下载我的应用程序的用户列表中,如果不是,我不会继续,如果是,他们有 1/10000 的机会赢得奖品。你能看出这个算法有什么缺陷吗?
I have an Android Mobile App that is really just a calendar & you can click a certain date & a secret code pops up. The user uses that code to enter a competition - they follow the link to the competition HTML page(python script really) & enter their details to enter the competition. There are 100 minor prizes & 3 major prizes. A code can either be a non-winning code or it can win the user a prize(either the minor or major).
So they will be redirected to: http://mycompetition.com/comp.py?code=ABCDEF
Then they enter their age, code & image captcha(avoiding spammers) & click enter competition.
My Problem: I am having difficulty coming up with an algorithm to ensure that people just don't type in the above URL & put a random code value for the CGI 'code' value & accidentally win a prize if they guess a correct code(or they use a bot to keep trying).
Can you come up with any ideas to avoid someone who has not purchased the app just going to the url above & typing in a random code & accidently winning the prize?
My algorithms/ideas:
- Have the code 12 characters long which makes the probability of guessing the code very slim but still possible. I am bad with maths & probability so if I use 26 char & 10 digits as potential chars in the code does that mean the probability of guesing correct 1 out of (36 chars * 12 pass length * 103 prizes)? Does that probability leave only supercomputers(not that I believe anyones going to devote a super computer to my comp :P) able to guess the code?
- Dont associate a prize with a code. Instead just have the android app randomly generate some code that means nothing & when they enter the competition I just give them a random 1/10000 (I dont expect anywhere near 10000 entries into the comp) of winning a prize. To enter the competition you have to enter your age & the code & then enter a captcha to avoid spammers.
- Is there any easier algorithm you know of that avoids users who haven't purchased the app getting a prize?
EDIT:
- What about whenever the App is downloaded I look at their phones(wireless part) MAC address. On 1st run of the app I upload that MAC address to my server that contains a list of MAC addresses of users of my app. When/If they discover the secret code, they clikc enter competition & are redirected to http://mycompetition.com/comp.py?code=RANDOMMEANINGLESSGENERATEDCODE&uniqueID=USERSMACADDRESS. In my script I check that the uniqueID is in my list of users who downloaded my app, if it isn't I dont proceed, if it is they have 1/10000 chance of winning a prize. Can you see any flaws in this algorithm?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用 HMAC 根据您在 Android 应用程序和网站之间共享的密钥生成代码。作为 HMAC 的文本,您可以使用随机值(包含在结果代码中)或用户独有的值,例如他们的电子邮件地址(这意味着每个用户只能有一个有效代码)。如果代码的长度很重要,您可以截断 HMAC 生成的哈希值,但请记住,截断的哈希值越短,暴力攻击就越实用。
只要您的用户无法发现共享秘密,那么这就是安全的,因为攻击者必须随机猜测或尝试通过暴力来确定秘密。不过,由于代码在用户拥有的设备上运行,因此无法阻止他们从您的应用程序中提取代码。拥有 root 权限的手机和反汇编程序的用户可以相对轻松地完成此操作。为了解决这个问题,您可以混淆代码,并发布应用程序的新版本,每当您怀疑它已被泄露时,就在那里和网站上更新密钥。
最终,由于设备处于用户的控制之下,因此无法完全阻止用户生成自己的代码,但是使用上述方法,您可以使他们变得更加困难,并且使您更容易恢复从它。
Use an HMAC to generate the code based on a secret you share between the Android app and the site. As the text for the HMAC, you can use a random value, which you include in the resulting code, or something unique to the user, such as their email address (meaning that each user can only have one valid code). If the length of the code is important, you can truncate the hash produced by the HMAC, but bear in mind that the shorter you truncate it, the more practical a brute-force attack is.
As long as your users cannot discover the shared secret, this will be secure insofar as an attacker would have to guess at random, or attempt to determine the secret by brute force. Since the code runs on user-owned devices, though, there's no way to prevent them from extracting the code from your app. A user with a rooted phone and a disassembler could do this relatively easily. To combat that, you could obfuscate the code, and release new versions of the app, updating the secret key there and on the site, whenever you suspect it's been compromised.
Ultimately, because the device is in the user's control, there's no way to totally prevent users from generating their own codes, but using an approach such as the one above, you can make it much more difficult for them, and easier for you to recover from it.