Mobile Game Hacking: Defense Against the Dark Arts | James Ahn
1. Defense Against
the Dark Arts of
Mobile Game
Hacking
James Ahn
Founder and CEO
INKA Entworks, Inc.
2. About Me
• Founder and CEO of INKA Entworks
• 17+ Years contents security experts
• Inventor of DRM interoperability
• Worked as board member of DMP
• CEO of AppSealing service
2
3. About INKA and AppSealing
• Founded in 2000, HQ in Seoul and office in Mumbai and USA (2018)
• Leading DRM tech. company with 200+ clients and partners worldwide
• AppSealing : subsidiary launched 2015, providing mobile app security SaaS
• Currently 100+ mobile games being protected
3
4. Today we will discuss
1. Landscape of Mobile Game Black Ecosystem and its impact
2. Hacking technologies
3. Technical guidance to prevent hacking
4
5. Mobile Game Black Ecosystem
• Cheating app developers/publishers
• 100+ cheating apps being used
• 80% from China
• Professional hacking service
• On-demand modding service (VIP)
• Repository for modded games
• In-game currency hacking service
• Copycat/Clone games
5
6. Modding Service
6
On Demand Repository
Service • On-demand modding
• Paid service (20-30$)
• modded games repository
• Free download
Business
Model
• Monthly subscription
• Online Ad
• Free to download
• Online Ad
Providers • androidrepublic.org (226 modded games)
• sbenny.com
• androidthaimod.com
• ACMarket
• Hackerbot
• Modsapk.com (3,695 games)
• revdl.com
• modapkdown.com
• apkdlmod.com
• apklover.net
7. In-Game Currency Hacking Service
• Process
• Access mobile url
• Name/email
• Start hacking
• Human authorization
• Mobile games download
• No rooting needed
• BM : Ad based service
• Providers
• cheatmyway.com
• apkcare.com
• cheatstrick.com
7
14. Damage Of Mobile Game Black Ecosystem
• Game balance disruption
• Lost monetization
• Lowered ratings & downloads
• Exodus of free & paying users
• Shortened game lifecycle
• Competition with copycat/clone games
14
16. How Mobile Games Are Hacked
16
Start Run game Debugging
Analyze action and log
message
Alter code
and make mod
Analyze code
Dump memory
Hook API
DecompilingUnpack APK
18. Defending Against Hacking and Cheating Tools
• Anti-debugging and anti-tampering
• Compiling option to hide symbols
• Check APK signature/hash value of “classes.dex”, native libraries
• Obfuscation
• Proguard, Dexguard, Crypto obfuscator etc.,
• Obfuscation can be reversed
• Hide value/data of variables
• Encode data with base64
• Separate variables into “for store” and “for display”
• Encrypt data on the device
• Best practice is not to store data on the device
• If needed, encrypt data stored on the device
• Cheating Tools
• Set blacklist of cheating tools, and detect while game is running
• Use HTTPS for server and client communication
18
19. Google’s Guidance
• Best practice for secure IAB from Google
• http://developer.android.com/google/play/billing/billing_best_practices.html
• LVL (Licensing Verification Library)
• https://developer.android.com/google/play/licensing/index.html
19
20. Summary
• Legitimate (especially paying) players prefer fair competition
• Hacking is not only a matter of revenue loss but affects entire life
cycle of the game
• User acquisition cost VS Hacking prevention cost
• Basic anti-hacking technical measures help somewhat
• Consider a robust professional app security solution
20
21. 21
Thank you !
James Ahn (james@inka.co.kr)
CEO/ INKA Entworks, AppSealing
https://www.appsealing.com