Ask Slashdot: How Serious Is Hacking In Mobile Games?

Origen writes: As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting — but I wasn't able to attend. The presentation isn't available online, but it was paired with a whitepaper [contact details required], which can be downloaded. I'm surprised by some of the information presented and the potential for damage/mischief. Not so much that these issues are unheard of — they've existed for years on other platforms. What I find surprising is the lack of support at the OS level on mobile devices to defend from many of these types of hacks. Have we learned nothing from the pains of the past? How significant are the points about hacking/piracy in the mobile space that are discussed by this whitepaper?

If you don't control it it's compromised.

OS level protection wouldn't do much if someone's really dedicated, they'll just remove those protections if needed. Assume everything coming through an internet connection is compromised, don't trust your game client.

Re:If you don't control it it's compromised.

[rioki]

I would simply take the same approach you should take with PC games. If it's single player, don't bother. You are wasting resources, resources you can use to make your game just a little more awesome. (more awesome == more sales) Wit multiplayer games, the key point is the server. The server should not trust clients and use heuristics to detect suspicious behavior. Then give administrators the means to moderate their users. (Or a vote system.) Bad behavior is a real issue with multiplayer games, but that is not limited to cheating.

But since we are talking about mobile games; are users cheating you on the premium currency? Treat is like any other piracy, ignore it and try to win users by making the cooler more awesome game. Maybe communicate that you are an independent developer and need the money to make games.

Re:If you don't control it it's compromised.

[wonkey_monkey]

the key is to not trust the client. for highscores/top-times, run a simulation of the game run on the server from the inputs.

How do you know you can trust the reported inputs? And you can't run a simulation if your game has (truly) random elements, nor can you allow for all device idiosyncracies.

Now if you'll excuse me, I need to continue work on my Arduino-controlled Wiimote holder so I can finally get a perfect game on Bit.trip Beat.

Nothing learned?

[Dutch+Gun]

On the contrary, mobile devices and hardware are awash in security features. Hardware based chain-of-trust, encrypted storage, signed applications, detailed permissions... these are all lessons learned from their big brother operating systems. Modern mobile OSes are actually far more difficult to maliciously subvert than PC systems, but of course, many of those features mean they're also closed systems, and aren't nearly as flexible. It's definitely a trade off. We see that pretty clearly with Android vs iOS, where iOS has a miniscule amount of malware simply by virtue of being a closed system.

In terms of game development, I think the focus is more on hacking the client than hacking the OS. As a former MMO dev, the rule was that you really can't trust *anything* the client gives you. Simple as that. It makes development a hell of a lot harder, but time and time again we see new MMOs or multiplayer games (presumably created by inexperienced developers) that break this cardinal rule and get hacked all to hell and back.

Re:Nothing learned?

[Dutch+Gun]

I should clarify that statement a bit: nothing related to actual game state from the client can be trusted. In other words, for instance, you wouldn't rely on the client performing hit-detection and telling the server "I just attacked and hit this creature for x damage". Instead, you would only relay the raw input commands (e.g. "I just pressed the command to cast a fireball") from the client to the server, and it's the server that processes all the game logic, then sends the result back to the client as to whether it hit or not, what the effect was, and so on. The client is really just a dumb terminal with fancy graphics and sound fx.

Of course, the client also has a full set of local collision data and local agent positions, so it can more or less predict what will happen on the server in advance, especially regarding your character, since it obviously knows how you're planning to control before the server does. This is important to reduce the apparent effect of network latency. Otherwise, the game would feel horribly laggy, especially when moving your character around and firing off spells or skills. Client-side prediction is a pretty old technique for networked videogames, but generally has to be uniquely tailored and tuned for each game you make.

OS Level protections = DRM

[cfalcon]

We don't need "OS level protections". It's your phone, you control all the code on it. Same as on your PC. Are you really fucking bitching that phones don't have enough fucking DRM? I'm sure glad to give up all my freedoms so some teenager can't cheat in clash of fucking clans.

Re:OS Level protections = DRM

[cfalcon]

As a note: a lot of games already try to detect jailbroken iphones and refuse to play. Because OBVIOUSLY, if you are jailbroken, it must be to cheat at their stupid games. That's like refusing to run if your machine has a local admin account, or the root user has a fucking shell attached. Ludicrous.

Anyone who wants more of this shit hasn't had the first thought on the topic yet.

Re:OS Level protections = DRM

[renderhead]

I know this is a troll, but in case anyone is mislead I want to clear up a factual error:
Jailbroken iPhones absolutely can make purchases from the App Store. I have a history of jailbreaking my phones when they get old to enable certain mods and extensions that are not supported by Apple (for example, I had a notification center on my iPhone before Apple released theirs in iOS 7). It didn't change anything about the way I ran or installed my official App Store apps, and I never downloaded a pirated app.

The paper is marketing bull

[nomaddamon]

Most of the advises given (if not all) are ineffective and in some cases make things worse.

Code and data obfuscation only provides false sense of security (and a large paycheck for your "security" vendor) - If i have access to binaries, have root OS access and skills to de-compile the app, obfuscation/encryption (with local key) is only a small nuisance (compared to skill required for decompilation/repackaging/on-the-fly modification)

Moving data to server-side provides a simpler attack-vector - i can MTM the (hopefully) secure connection and alter data sent to app - i don't even have to decompile the app to hack it

On-the-fly binary validation does not work (again, if i have OS level access) - i can disable/fake it.

The numbers in the paper are classic marketing bull - when are you more likely to buy an 99$ in-app purchase?
- if you can do it for free (Apple MTM bug)
- if you actually have to pay for it

TLDR:
You can't protect against hacking/repackaging if the hacker has access to binaries and root.
You can't protect against data modification if the hacker can install hes own CA on the device.

Re: Take a page from the China mobile game scene

[MenThal]

You can't pirate free apps. The question for these become; how rampant is piracy or hacking for getting the in-game stuff for free.

They handled it well in Simpsons tapped out

[GuB-42]

In Simpsons tapped out, a typical time-waster of a moblie game, free with premium content, players found an exploitable bug allowing them what is basically infinite money. IIRC they handled it this way :
- they fixed the bug
- they referred to the hack an in-game event (the moral being of course : you won't get any fun by hacking)
- they gave a special item to everyone that didn't use the exploit
- they didn't penalize those who did (except by not giving them the special item)

I found it was a wonderful way to handle the situation : they didn't punish the hackers, they simply told that the non-hackers were way cooler.