Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Game Hacking: Defense Against the Dark Arts | James Ahn

189 views

Published on

Mobile Game Hacking: Defense Against the Dark Arts | James Ahn

Published in: Software
  • Be the first to comment

  • Be the first to like this

Mobile Game Hacking: Defense Against the Dark Arts | James Ahn

  1. 1. Defense Against the Dark Arts of Mobile Game Hacking James Ahn Founder and CEO INKA Entworks, Inc.
  2. 2. About Me • Founder and CEO of INKA Entworks • 17+ Years contents security experts • Inventor of DRM interoperability • Worked as board member of DMP • CEO of AppSealing service 2
  3. 3. About INKA and AppSealing • Founded in 2000, HQ in Seoul and office in Mumbai and USA (2018) • Leading DRM tech. company with 200+ clients and partners worldwide • AppSealing : subsidiary launched 2015, providing mobile app security SaaS • Currently 100+ mobile games being protected 3
  4. 4. Today we will discuss 1. Landscape of Mobile Game Black Ecosystem and its impact 2. Hacking technologies 3. Technical guidance to prevent hacking 4
  5. 5. Mobile Game Black Ecosystem • Cheating app developers/publishers • 100+ cheating apps being used • 80% from China • Professional hacking service • On-demand modding service (VIP) • Repository for modded games • In-game currency hacking service • Copycat/Clone games 5
  6. 6. Modding Service 6 On Demand Repository Service • On-demand modding • Paid service (20-30$) • modded games repository • Free download Business Model • Monthly subscription • Online Ad • Free to download • Online Ad Providers • androidrepublic.org (226 modded games) • sbenny.com • androidthaimod.com • ACMarket • Hackerbot • Modsapk.com (3,695 games) • revdl.com • modapkdown.com • apkdlmod.com • apklover.net
  7. 7. In-Game Currency Hacking Service • Process • Access mobile url • Name/email • Start hacking • Human authorization • Mobile games download • No rooting needed • BM : Ad based service • Providers • cheatmyway.com • apkcare.com • cheatstrick.com 7
  8. 8. Copycat/Clone Games : Clash Royale 8
  9. 9. Copycat/Clone Games : Lilith vs uCool 9
  10. 10. Hacked Western Game in China 10 360 Mobile Assistant Games Front Page Source: Oniix
  11. 11. Hacking Preference by Genre 11 Source: AppSealing.com
  12. 12. Top 10 Cheating Tools 12 Source: AppSealing.com
  13. 13. Hacking Methods 13 Source: AppSealing.com
  14. 14. Damage Of Mobile Game Black Ecosystem • Game balance disruption • Lost monetization • Lowered ratings & downloads • Exodus of free & paying users • Shortened game lifecycle • Competition with copycat/clone games 14
  15. 15. Results of Anti-Hacking Incorporation 15 RPG RPG RPG RPG Action Casual Shooting Casual Casual RPG ActionRPG Source: AppSealing.com
  16. 16. How Mobile Games Are Hacked 16 Start Run game Debugging Analyze action and log message Alter code and make mod Analyze code Dump memory Hook API DecompilingUnpack APK
  17. 17. Reversing Tools (Decompile & Tampering) 17 JADX-GUI JD-GUI DEX (or JAVA) dnSpy .NET Reflector (/w reflexil) ILSpy DLL (or IL) IDA (/w Hex-Rays) Shared Object APK Unpack/Pack APKTool
  18. 18. Defending Against Hacking and Cheating Tools • Anti-debugging and anti-tampering • Compiling option to hide symbols • Check APK signature/hash value of “classes.dex”, native libraries • Obfuscation • Proguard, Dexguard, Crypto obfuscator etc., • Obfuscation can be reversed • Hide value/data of variables • Encode data with base64 • Separate variables into “for store” and “for display” • Encrypt data on the device • Best practice is not to store data on the device • If needed, encrypt data stored on the device • Cheating Tools • Set blacklist of cheating tools, and detect while game is running • Use HTTPS for server and client communication 18
  19. 19. Google’s Guidance • Best practice for secure IAB from Google • http://developer.android.com/google/play/billing/billing_best_practices.html • LVL (Licensing Verification Library) • https://developer.android.com/google/play/licensing/index.html 19
  20. 20. Summary • Legitimate (especially paying) players prefer fair competition • Hacking is not only a matter of revenue loss but affects entire life cycle of the game • User acquisition cost VS Hacking prevention cost • Basic anti-hacking technical measures help somewhat • Consider a robust professional app security solution 20
  21. 21. 21 Thank you ! James Ahn (james@inka.co.kr) CEO/ INKA Entworks, AppSealing https://www.appsealing.com

×