Security Challenges in Mobile Games
Video games have come a long way, with the first generation of gaming console available in the 1970s. Magnavox Odyssey was the first video game console released in 1972 and could be connected to the a television set. However, it was not until when Atari’s arcade game Pong, released on 29 Nov 1972, that captured people’s hearts and started garnering more attention in this emerging market.
At the time of writing, video games are available in mainly 5 different platforms. Personal Computer (PC), Gaming Consoles (i.e. XBox & PlayStation), Smartphones, Wireless Devices and Handheld systems. While the state of PC gaming continues to become more popular and complex, mobile gaming has experienced an incredible growth, empowered by the ubiquitous nature of the platform. Referencing from Newzoo, it is estimated that the number of mobile gaming applications worldwide will grow from approximately US$101 billion in 2016, to more than US$128 billion by 2020 (See Fig 1).
This growing number of mobile gamers creates a lucrative target for hackers seeking financial gain. Throughout the remaining of this article, we will explore some of the attack methods employed by high level hackers, the motivation behind the hack, and its associated ramifications.
DIFFERENT ATTACK METHODOLOGIES
Attack Method 1: Fake applications
How — The game binary (such as the .APK file), is something which is downloaded to the customer’s smartphone. This means that anyone would be able to pry open the game application and extract sensitive game data (i.e. In-Game Assets, Art, and Source-Codes) out of the application through reverse engineering procedures. The stolen information could then be repackaged into a similar/clone application to entice gamers into downloading them as a Honeypot.
Why — The hacker could plant a malware into these clone applications that are designed to leak sensitive user data once they execute the binary. In the worst case scenario, the hacker can obtain full remote access to the gamer’s smartphone. For the mobile gaming companies, this critically damages their reputation as they might be indirectly or incorrectly attributed to such compromises.
Attack Method 2: Attacking in-app purchase services
How — A flaw in Apple’s in-app purchase system allowed hackers to obtain in-game currencies and other items for free. In July 2012, 8.4 million fraudulent purchases were made through this exploitation through just one hacker’s website. More than 115 games were affected by this vulnerability, including some of the top games at that time such as Fruit Ninja, Temple Run and Plants vs. Zombies.
Why — The hacker possesses the ability to obtain free items and in-game credits. This creates an enormous revenue loss for the affected mobile gaming companies as each of the fraudulent purchases would have normally cost between USD$0.99 to USD$99.99.
Attack Method 3: Hacking the Memory
How — The hacker could target an manipulate the in-game memory data to: i) change monetary values of item cost for in-app purchases, ii) change their in-game scores, iii) modify game actions such as bypassing game level checks, or turning a round lost to a round won.
Why — The hacker/gamer would have gained unfair game advantage by bypassing game logic checks and potentially ruining the gameplay balances — which is especially relevant in Massive Multiplayer Online Role Playing Games (MMORPGs). In addition, this can cause huge losses in revenue to the companies by altering in-app purchase prices of in-game items.
Attack Method 4: Hacking the Server
How — The hacker could perform injection attacks such as OS injection and SQL injection, and API fuzzing to gain unauthorized access to data and the game servers. In the worst cases, after gaining access to the game servers, the hacker could propagate themselves throughout the network to exfiltrate more sensitive data out of the environment.
HOW CAN GAME COMPANIES MITIGATE THESE THREATS?
While there is no silver bullet to prevent mobile game hacking entirely, many of these vulnerabilities and exploitations can be easily mitigated by employing defence mechanisms such as:
- Adding of server-side authentication before players can login
- Adding a method which requires the game client to download something from the game server to play the game
- Perform application layer encryption
- Storing game states on the server if possible (in many cases not possible as it affects performance)
- Not performing critical functions and logic checks on the client side
- Perform code obfuscation
- Encryption of keys and making them dynamic
- Real Time Application Security Monitoring
In a nutshell, it is important to plan your mobile game’s security in the early stages of the product development lifecycle, and long before it is pushed into the public marketplace.
After the release of the game, it might take eons for the security patch to be applied, due to its complexity. In addition, taking into consideration the product downtown required to accomplish the patch might also affect user-experience, and harm the game’s overall popularity. By the time patches are implemented, hackers could have already taken advantage of the vulnerabilities, such as publishing a clone application in another region.
Time to Wake Up
Security is no longer a nice-to-have and should not be taking the “back-seat” within enterprises. In fact, it should be a key enabler in protecting your game revenue to unexpected losses. If you are a new player in the gaming industry, consider entering into a partnership with a cyber security provider with experience in the industry. Such partnerships allows emerging businesses to focus on creating revolutionary games, without the fear of being exploited by the bad-guys.
