iOS GKMatch didReceiveData: fromPlayer: security

I am working on a networked iOS game.

In its GKMatch class reference, Apple has this to say:

Important: Data received from other players should be treated as untrusted data. Be sure to validate the data you receive from the match and write your code carefully to avoid security vulnera开发者_运维百科bilities. See the Secure Coding Guide for more information.

Now I don't think anybody is going to care about hacking my little game. If someone were able to use it to hack into someone else's phone, that would be another matter.

I am typically using the received data to create an object via the decodeObjectForKey: method.

What, if anything, do I need to do?

You could check that received scalar values, like ints and floats, are within ranges that make sense for your game. For example, if your game is coded so that the maximum attainable score is 100 units, you should discard a received scalar representing a score that's more that the maximum.

For strings, you should check that their length is sensible, e.g., a string for a player name should probably be less than 50 chars. If you're using strings with some specific format, e.g., @"kMyGameHighScoreKey", you should check that the received string conforms to that format.

The general idea is that you check that what you receive is only what makes sense for your game and nothing more. In any other case, you should discard the received data.

If I understand correctly, in your case you're receiving just a string that you're then using as a key to read some data from local storage. You should check that the received string is indeed one of the expected keys before using it with the decodeObjectForKey: method. Do not blindly use the (converted) NSData* argument of didReceiveData: as the key in decodeObjectForKey:.