Wednesday, July 6, 2011
Why client-side verification is bad..
As a programmer, you should really know that you can't trust anything you put in the hands of someone else. If you're writing a web, mobile or desktop application that talks to your server, you can't trust that someone won't subvert the local software. As such, you can't rely on it to do authentication or parameter verification. (As noted in the comments below, it's not a sin to perform checks on the client side -- just don't *trust* that they were performed.)
I recently looked into Zynga's "Words with friends" mobile application, and to my surprise discovered that it did client-side verification of the words you are playing.
It wasn't very hard to circumvent this, resulting in a version which accepts moves like the above one..