How to prevent time cheat?

Hi, I’m stuck, i dont know how to avoid that user fakes the time.
I’m developing an app that stores the current datetime of entry and exit of work on button tap

give me some ideas please, thanks!

pd: no internet conection, so time servers dont work

for what purpose?
If you want it cheat save use a server otherwise you could check if the user opened the app allready at a future point in time and prevent the reward or whatever you want to do.

it’s not a phone game, it’s a registry of assistance for employeers, like a registry clock… I hope I have explained myself properly

I would strongly recommend using some kind of server for this serious purpose. (maybe a local one)

Yeah, you need a backend that assigns time stamps. There’s no way to do this in front-facing web programming.

ok, I keep trying, I’m think i can resolve… I will post my progress… maybe using autostart and background mode can be a solution

when a user can change the time he can also close an background app.

and what about a user that pushes the buttons, at the weekend or when he is sick? I think you should hang an ncf scanner / bluetooth beacon or sth like this on the wall that records entry and exit on a central database on a server. Or do you make an app for remote employees?

yes is for people that works countryside, the 90% of the app is finished, uses geolocation and also have serverside development, 1 day every 5 days the phone have internet connection and syncs with the server, but I’m still stuck in how to prevent fake time


maybe you can use timestamp from geolocation. Gps signals has its own time, but I do not know if tthe timestamp from geolocation plugin comes from gps signal or from device.

Bytheway this kind of controlling people is not always a good idea.

Best regards, anna-liebt

Perhaps the button can sand an SMS with an user ID to a number.

This moves the problem to the server side. When the SMS arrives the server create the timestamp and save the record, or send a timestamp back via sms.

Google says there are some SMS-Providers with an api.

This is an interesting engineering problem. I don’t have a more intelligent solution that what has already been discussed (for now). I’m wondering if we can get some more insight into this “check in/check out” process and ensure we don’t fall into the XY problem trap.

I can imagine this to be a legitimate ask for remote factories, for example. The questions I have for you:

  • When a person “checks in” and/or “checks out”, are they at a specific location? In most cases, checkin/out happens at the point of entry or exit
  • What is the nature of work if it can be disclosed? Is there any other way to track progress besides time?
  • Assuming you never had an app to begin with. How would a manager eventually identify folks who are not working?

A server less solution will be likely quite complex to get right. To get you thinking in more detail:

  • Android provides a mechanism to latch on to an “intent” that gets broadcasted when time has changed. I don’t think iOS has this feature and I don’t know how reliable this intent it. There was a thread about it some time ago. The plugin is here
  • I like the SMS idea - if its possible. However, to my knowledge, at least in iOS (maybe Android, don’t know) there is no way to automatically send an SMS. You can only launch a composer with a message. Obviously, you don’t want the user to change the message. Trying to figure out how to do that even if the message is encrypted with a unique server key is hard, since the original content is faked here (time). The only way I can think of is a 2 way SMS based exchange to compare local/server time, but we are essentially re-inventing the auth channel over SMS and adding layers of UI complexity and awkwardness
  • The GPS idea was nice too, unfortunately, GPS timestamps are locally generated (as hinted above by the author)
  • There are solutions on the net that basically compute “elapsed” that don’t change if local time is changed, but fail on reset (see this)
1 Like

It is literally impossible without a server. As in, can be proved mathematically.

If you don’t have your own server, one way forward is to use a Time Stamp Authority server. There are some that are free or at least have free trials. The idea is: you query the server, and get a timestamp that is signed with a hash function so a counterfeit would be easy to detect.

(emphasis mine) On a completely unrelated sidenote, I presume you used the world literally to mean exactly? - only reason I ask is literally has unfortunately evolved to have different meanings. Is this a problem that has been mathematically proved to be unsolvable and if so, would you have a link? I’m not questioning your statement - you may well be correct. I’m just curious if this is a case of ‘its not worth it to solve as its too complex’ or if it actually is impossible to do even if you had all the time(!) in the world to solve.

Another idea.

If you sync your data with your server. Your app gets a timestamp and a key.

Then the app gemerates every minute a new key.

This keys is the timestamp.

Whem you sync again you send the last timestamp and the keys to your server and the server can reproduce the real timestamps.

It is like my bank key isn’t it.

And no, I have no idea how to put this in code.

Local storage…
Save every minute a key with index from 0 to n.


1 Like

“If you had all the time in the world” is a different problem, closely connected with cryptocurrency. If you want a trusted timestamp that takes “no time” to compute, you need a trusted authority.

The point is, you need to generate a timestamp that can’t be counterfeited. To do that, you need a function that is easy to compute, but can’t be reversed easily, such as a cryptographic hash function. But for that to matter, you need to ensure that the initial input to the hash function is not false. That’s what the trusted authority buys you, that you can’t get otherwise. If you allow the hash function to be hard to compute both forwards and backwards, then the authenticity of the input can lie in the amount of work required for the computation itself. That’s the value traded by a cryptocurrency, in a sense – the amount of work required to perform the computation. Then the initial input does not matter, the process is what counts.

Ok. I think I might be familiar with how trusted time stamping works in block chains. Drawing up an analogy, the “genesis block” is, say, the “first time the app is used” and assumed to be “true input”. The difference here is that in blockchains the computationally hard part is to try and modify the past ledger that has been attached. In the OPs case, the problem is with the new “transaction” for which the hash has yet to be generated.

Now its true that the solutions pointed to do use a trusted time authority, but I’m curious if an offline mode is actually impossible to do and has been proven so?

Who tells you the time? I think your implicit assumption here is that the user’s clock is accurate. But that already assumes existence of a trusted authority. Someone has to decide what time it is.

Which platform/devices are we talking about?

Just another idea, which is not programmatically tackling this issue:
There might be some MDM/MAM systems that could prevent the user to change the local time on the phone. At least I know that Samsung SAFE and Windows has options for this.

Was that a question for me? If so, no, I absolutely do not think the user’s clock is accurate. That is the reason I find this problem interesting with practical implications. I was trying to explore options where we can defeat the manual cheating of system time without requiring a network connection. Or more generally, find a mechanism that is able to detect if a user cheated when they eventually complete the logging after 5 days

1 Like