Ask Slashdot: How Serious Is Hacking In Mobile Games?

Origen writes: As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting — but I wasn't able to attend. The presentation isn't available online, but it was paired with a whitepaper [contact details required], which can be downloaded. I'm surprised by some of the information presented and the potential for damage/mischief. Not so much that these issues are unheard of — they've existed for years on other platforms. What I find surprising is the lack of support at the OS level on mobile devices to defend from many of these types of hacks. Have we learned nothing from the pains of the past? How significant are the points about hacking/piracy in the mobile space that are discussed by this whitepaper?

Re:If you don't control it it's compromised.

[rioki]

I would simply take the same approach you should take with PC games. If it's single player, don't bother. You are wasting resources, resources you can use to make your game just a little more awesome. (more awesome == more sales) Wit multiplayer games, the key point is the server. The server should not trust clients and use heuristics to detect suspicious behavior. Then give administrators the means to moderate their users. (Or a vote system.) Bad behavior is a real issue with multiplayer games, but that is not limited to cheating.

But since we are talking about mobile games; are users cheating you on the premium currency? Treat is like any other piracy, ignore it and try to win users by making the cooler more awesome game. Maybe communicate that you are an independent developer and need the money to make games.

Nothing learned?

[Dutch+Gun]

On the contrary, mobile devices and hardware are awash in security features. Hardware based chain-of-trust, encrypted storage, signed applications, detailed permissions... these are all lessons learned from their big brother operating systems. Modern mobile OSes are actually far more difficult to maliciously subvert than PC systems, but of course, many of those features mean they're also closed systems, and aren't nearly as flexible. It's definitely a trade off. We see that pretty clearly with Android vs iOS, where iOS has a miniscule amount of malware simply by virtue of being a closed system.

In terms of game development, I think the focus is more on hacking the client than hacking the OS. As a former MMO dev, the rule was that you really can't trust *anything* the client gives you. Simple as that. It makes development a hell of a lot harder, but time and time again we see new MMOs or multiplayer games (presumably created by inexperienced developers) that break this cardinal rule and get hacked all to hell and back.

OS Level protections = DRM

[cfalcon]

We don't need "OS level protections". It's your phone, you control all the code on it. Same as on your PC. Are you really fucking bitching that phones don't have enough fucking DRM? I'm sure glad to give up all my freedoms so some teenager can't cheat in clash of fucking clans.

Re:OS Level protections = DRM

[cfalcon]

As a note: a lot of games already try to detect jailbroken iphones and refuse to play. Because OBVIOUSLY, if you are jailbroken, it must be to cheat at their stupid games. That's like refusing to run if your machine has a local admin account, or the root user has a fucking shell attached. Ludicrous.

Anyone who wants more of this shit hasn't had the first thought on the topic yet.

Re:OS Level protections = DRM

[renderhead]

I know this is a troll, but in case anyone is mislead I want to clear up a factual error:
Jailbroken iPhones absolutely can make purchases from the App Store. I have a history of jailbreaking my phones when they get old to enable certain mods and extensions that are not supported by Apple (for example, I had a notification center on my iPhone before Apple released theirs in iOS 7). It didn't change anything about the way I ran or installed my official App Store apps, and I never downloaded a pirated app.

The paper is marketing bull

[nomaddamon]

Most of the advises given (if not all) are ineffective and in some cases make things worse.

Code and data obfuscation only provides false sense of security (and a large paycheck for your "security" vendor) - If i have access to binaries, have root OS access and skills to de-compile the app, obfuscation/encryption (with local key) is only a small nuisance (compared to skill required for decompilation/repackaging/on-the-fly modification)

Moving data to server-side provides a simpler attack-vector - i can MTM the (hopefully) secure connection and alter data sent to app - i don't even have to decompile the app to hack it

On-the-fly binary validation does not work (again, if i have OS level access) - i can disable/fake it.

The numbers in the paper are classic marketing bull - when are you more likely to buy an 99$ in-app purchase?
- if you can do it for free (Apple MTM bug)
- if you actually have to pay for it

TLDR:
You can't protect against hacking/repackaging if the hacker has access to binaries and root.
You can't protect against data modification if the hacker can install hes own CA on the device.

Re:If you don't control it it's compromised.

[wonkey_monkey]

the key is to not trust the client. for highscores/top-times, run a simulation of the game run on the server from the inputs.

How do you know you can trust the reported inputs? And you can't run a simulation if your game has (truly) random elements, nor can you allow for all device idiosyncracies.

Now if you'll excuse me, I need to continue work on my Arduino-controlled Wiimote holder so I can finally get a perfect game on Bit.trip Beat.

Re: Take a page from the China mobile game scene

[MenThal]

You can't pirate free apps. The question for these become; how rampant is piracy or hacking for getting the in-game stuff for free.