Slashdot Mirror
Ask Slashdot: How Serious Is Hacking In Mobile Games?
Origen writes: As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting — but I wasn't able to attend. The presentation isn't available online, but it was paired with a whitepaper [contact details required], which can be downloaded. I'm surprised by some of the information presented and the potential for damage/mischief. Not so much that these issues are unheard of — they've existed for years on other platforms. What I find surprising is the lack of support at the OS level on mobile devices to defend from many of these types of hacks. Have we learned nothing from the pains of the past? How significant are the points about hacking/piracy in the mobile space that are discussed by this whitepaper?
OS level protection wouldn't do much if someone's really dedicated, they'll just remove those protections if needed. Assume everything coming through an internet connection is compromised, don't trust your game client.
People already think Apple's walled garden and sandboxing go overboard. Remember that legit developers have to pay Apple $99/year just to develop+run an app on their own device. Apple also has a long list of requirements about what your app not allowed to do. I'd really hate to see what they do if they got *serious* about locking down the platform.
Blocking any form of "hacking" will also hurt legitimate users. For example, being able to install an APK manually, not every devices come with the Google Play store and quite frankly the Amazon appstore is extremely lacking compared to the Play store. So being able to install apk is a life saver.
Removing similar features will just hurt the userbase even more.
On the contrary, mobile devices and hardware are awash in security features. Hardware based chain-of-trust, encrypted storage, signed applications, detailed permissions... these are all lessons learned from their big brother operating systems. Modern mobile OSes are actually far more difficult to maliciously subvert than PC systems, but of course, many of those features mean they're also closed systems, and aren't nearly as flexible. It's definitely a trade off. We see that pretty clearly with Android vs iOS, where iOS has a miniscule amount of malware simply by virtue of being a closed system.
In terms of game development, I think the focus is more on hacking the client than hacking the OS. As a former MMO dev, the rule was that you really can't trust *anything* the client gives you. Simple as that. It makes development a hell of a lot harder, but time and time again we see new MMOs or multiplayer games (presumably created by inexperienced developers) that break this cardinal rule and get hacked all to hell and back.
Irony: Agile development has too much intertia to be abandoned now.
Complex topic, I would "no" at least in the scope "should you as a developer take significant steps to prevent hacking"
Consider following: ;)
1) The whitepaper is from a company selling services for this, they want to paint a grim picture
2) Like PC with piracy, Android/jailbroken iOS piracy is likely something you can't solve, but it will take a lot of time & money to fight
3) People downloading pirated games are pretty much lost audience, they were not planning to buy upfront anyhow
4) Anti-piracy measures can piss off your real customers. This is much bigger risk in mobile where it's really easy to just move along
5) If you can detect pirated users, feel free to "up the ante" in ads to full page interstitials, etc.
So, worry about making a good game, follow best practices about validating IAP results, but let Apple & Google worry about securing APIs
We don't need "OS level protections". It's your phone, you control all the code on it. Same as on your PC. Are you really fucking bitching that phones don't have enough fucking DRM? I'm sure glad to give up all my freedoms so some teenager can't cheat in clash of fucking clans.
Most of the advises given (if not all) are ineffective and in some cases make things worse.
Code and data obfuscation only provides false sense of security (and a large paycheck for your "security" vendor) - If i have access to binaries, have root OS access and skills to de-compile the app, obfuscation/encryption (with local key) is only a small nuisance (compared to skill required for decompilation/repackaging/on-the-fly modification)
Moving data to server-side provides a simpler attack-vector - i can MTM the (hopefully) secure connection and alter data sent to app - i don't even have to decompile the app to hack it
On-the-fly binary validation does not work (again, if i have OS level access) - i can disable/fake it.
The numbers in the paper are classic marketing bull - when are you more likely to buy an 99$ in-app purchase?
- if you can do it for free (Apple MTM bug)
- if you actually have to pay for it
TLDR:
You can't protect against hacking/repackaging if the hacker has access to binaries and root.
You can't protect against data modification if the hacker can install hes own CA on the device.
You can't pirate free apps. The question for these become; how rampant is piracy or hacking for getting the in-game stuff for free.
Ever hear of Candy Crush Saga?
Ever hear of CandySwipe? That's the game that came out 2 years BEFORE Candy Crush Saga (http://www.snopes.com/politics/business/candycrush.asp).
Of course, it continues to boil down to being clones / copies of earlier games (Bejewelled for example).
Artwork, design, music, sounds, ideas, most (if not all) are being stolen like crazy in the mobile market. If you don't have a thick skin, don't get into it. Chances are, you spend months, if not years, crafting a beautiful game and release it at $0.99 in the store to only find a cheap copy of it in less than a week on the F2P model from some backwoods out of country developer.
Are you planning on using a service like FGL.com to find sponsors? They offer help and a better community on how to protect your game.
This is always been the solution, even after such massive failures as the Valve Anti-Cheat System on PCs. Have the game analyze the size, name, and even hash of all its files when it opens. If they're different than a preapproved list that's loaded into memory for milliseconds after being unencrypted with an enormous hard-wired password, refuse to open the game. That's moderately secure, assuming they can't get to the hard wired password.
Have the client record input log during gameplay and submit it to the server once the game completes, then replay it on the server when verifying a submitted score. If you really want to block an offline tool-assisted speedrun, require the client to submit a piece of the input log every five seconds or so.
If it's single player, don't bother.
On some popular video game platforms, no major single-player game is truly single-player. For a decade, it has become a race among friends to get the achievements first.
Reading the whitepaper, the whole thing seems like it's focused on promoting Arxan's services. It's entirely possible that the presentation itself took a different tone/direction, but the whitepaper itself was fairly contentless sprinkled with a few good points about older MITM attacks exploiting the In-App purchases for iOS and the high piracy rates on Android in China and Russia.
Really that last part is the thrust of the article -- high piracy rates for which they don't really offer any solution except DRM and always-online games. (To their credit, they do make the recommendation of "some sort of protection on the networking layer, in-memory layer, and on disk layer...as well as portions dealing with receiving and unpacking the player's saved game or state.")
Everything else was either misleading, fairly obvious non-suggestions, or just plain outdated information.
Examples:
- Whitepaper dedicates a section to lost revenue from a MITM attack allowing iOS users to get in-app purchases for free. The reference they use is a 2012 article from the Guardian talking about how Apple already fixed it. Specifically, this was relating to iOS 5 and has since been resolved. While Jailbreak options still exist, the whitepaper does not mention these nor does it discuss any other actual leak.Referenced Article
- Whitepaper has section on Flappybird clones which reads:
...However, by March 2014, approximately 60 Flappy Bird clones a day were being added to the iOS App Store...Worst of all -- a reported 79% of these clones contained malware.
This section has a reference that points to a McAfee threat report from June 2014 - as the section reads, "these" refers to the clones on the iOS App Store, however, the McAfee report clearly shows that this is Android stores that are plagued, not iOS. http://www.mcafee.com/us/resou... Page 6
- Whitepaper has a section on how hackers damage communities, which is not incorrect, however, they provide the following "helpful" tips:
While these are not bad suggestions, they're also absolutely common sense for mobile game developers, or just people dealing with problems in general.
The submitter is absolutely right that this could have been a really keen presentation, but based on what they produced in the whitepaper, it sounds like a business trying to drum up some more business for themselves with misleading and/or useless information.
"As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting .. Have we learned nothing from the pains of the past?"
...
I would ask anyone in developing connected devices. What happened the last time you tried to hack your own device? And if the answer is you haven't even tried then most definitely you've learned nothing about security. If the underlying OS can't prevent hackers walking all over your memory then it's GAME OVER
You can't pirate free apps. The question for these become; how rampant is piracy or hacking for getting the in-game stuff for free.
If you put out an app, it will get hacked. It has been this way since the 70's. Nothing has fucking changed, 'cept the Twenty somethings that do NOT know computer history at all and thinks everything is new.
If you are a developer, the app you put out will be hacked. Always has been, always will be, nothing will change that. The question is, as the developer and knowing your app will be hack, how do you respond? Do you then fuck over your paying customers by putting in draconian DRM, or do you make a program that rocks because you know the word of mouth is probably your best review system?
The choice is up to you, the developer. Do you harvest good will with your customers, or do you be a EA/Ubisoft and shit on your customers?
Be seeing you...
Only problem with that logic is that EA and Ubisoft are quite successful right now, which only sets an example that extreme DRM, DLC, and releasing only a few hours worth of content and calling it a game is the way to earn money in the industry. Especially with consoles where there is a 0% piracy rate and the game developers control everything on that platform.
Of course, it would be nice to see another ID or Bioware. I'm sure there is money to be made on games with a long tail like Neverwinter Nights and NWN2 [1]. However, there just doesn't seem to be an interest to push in that direction. It seems that almost all newer games either fall into the bottomless pit of F2P-P2W or are part a mediocre sequel in a franchise. Even the SimCity app on the phone was all about IAP in order to make your city not suck.
[1]: Ignore the NWN OC... IMHO, that was more of a demo of what one can do with the toolkit than something playable.
In Simpsons tapped out, a typical time-waster of a moblie game, free with premium content, players found an exploitable bug allowing them what is basically infinite money. IIRC they handled it this way :
- they fixed the bug
- they referred to the hack an in-game event (the moral being of course : you won't get any fun by hacking)
- they gave a special item to everyone that didn't use the exploit
- they didn't penalize those who did (except by not giving them the special item)
I found it was a wonderful way to handle the situation : they didn't punish the hackers, they simply told that the non-hackers were way cooler.
For an indie developer, the real problem is that almost nobody can get a significant number of players in such an over-crowded, competitive marketplace unless they have a hugely popular brand (famous movie, famous developer, famous game company, something), or millions of dollars in marketing money.
Given that your indie title with no marketing "oomph" behind it is 99.999% likely to not get a large number of players or make significant money, fixing any potential security problems in it is almost always going to be a waste of your time. Unless you're just doing this hobby to learn game security programming. If you're doing this hobby to learn fun gameplay programming, physics engines, client server coding, etc. don't worry about the security piece too much. (If you want to learn EVERY detail of game programming from your hobby, sure, learn security too.)
It's not like 1000 people are modding the files in 1000 ways.
Yet.
Virus authors figured out polymorphic code long ago. Now imagine one jackass making a program that shuffles the order of blocks of code in the hack so that you have 1000 files all different but with identical behavior. Thus blacklisting fails for wallhack and aimbot detection the same way it has been shown to fail for virus detection.