SlideShare a Scribd company logo

Abusing mobilegames

ナム-Nam Nguyễn
ナム-Nam Nguyễn

This document discusses security issues and abuse in mobile games. It notes that worldwide spending on mobile games tripled to $16 billion in 2013 and gaming apps account for a large percentage of downloads. The document then summarizes typical mobile game architecture and motivations for abusive behavior like not wanting to spend money or lose. It outlines various abuse mechanisms like file tampering, malware, sensor spoofing, and API abuse. It also discusses potential solutions and notes that mobile games face fewer security challenges than PC games but that abuse still hurts players, developers, and platforms.

1 of 22
Download to read offline
Abusing Mobile Games Ming Chow mchow@cs.tufts.edu @0xmchow
Mobile Games: The Not-So Surprising Numbers ● “Worldwide spending on mobile game apps tripled in 2013 to $16B” (http://venturebeat.com/2014/02/19/worldwide-spending-on-mobile- game-apps-tripled-in-2013-to-16b/) ● “Mobile games account for top global apps worldwide in Jan 2014” (http://e27.co/mobile-games-account-for-top-global-apps- worldwide-in-jan-2014/) ● “Gaming apps accounted for around 41% of downloads from the Apple and Google stores, and was 61% on Amazon” (http://blogs. wsj.com/digits/2014/04/10/the-one-thing-mobile-users-can-agree- on-games/)
Mobile: What We Know ● Devices are of high value, can be easily lost or broken ● Has good computational power ● It is “always on” (including networking) ● Features: GPS, accelerometer, compass, bluetooth, Wi- Fi, NFC ● Constraints: battery, screen size, input ● New security model including app distribution ● No authorized method for gaining administrative access by default
What Has Changed for Games ● Development cycle and cost ● The goal for players ● Business model ● Distribution of game client and content ● Dependency on network connection and third-party systems
Typical Architecture of Mobile Games ● The game client ● Servers ● APIs ● Operating System ● Mobile Carriers
Motivations for Abuse, Unethical Behavior ● Don’t want to grind ● Don’t want to wait for next full meter ● Don’t want to spend money on virtual goods ● Don’t want to lose ● Achievements ● Want to win ● Want to steal data
Abuse Mechanisms ● File modifications and tampering ● Malware and piracy ● Time state attacks ● Faking location and sensor data ● Disconnection and latency ● API abuse
File Modifications and Tampering ● Game data commonly stored in .plist or XML files or in SQLite databases on the client side (the app) ● Example: Pocket Trains ○ iOS: Edit the .plist file under preferences for the game; risk getting banned ○ Android (assumes rooted device): Edit the file root/data/data/com.nimblebit. pockettrains/shared_prefs/com.nimblebit. pockettrains.xml ○ Source: http://www.pockettrainswiki.com/wiki/Cheating
Malware ● Repackage apps on Android ● Example 1: Freedom (Android) - reveals “hackable” applications on device; in-app purchases made free through middle-man, not through Google Play http: //www.netnames.com/blog/2013/09/in-appropriate- mobile-behaviour/ ● Example 2: Flappy Birds http://nakedsecurity.sophos. com/2014/02/11/flappy-bird-really-is-dead-beware-of- infected-fakes-that-promise-to-keep-him-alive/
Out-of-Band Spam ● Case-in-point, do a search for candy crush saga cheats ● Seedy ad networks http://blog.trendmicro. com/leaky-ad-networks-put-mobile-game- players-risk/ ● ...leading to potentially malicious websites and networks
Time State Attacks ● Many games are dependent on the actual time ● The idea: (incrementally) change the phone or tablet's internal clock forward or backwards ● “10 year old girl hacker CyFi reveal her first zero-day in Game at #DefCon 19” http://thehackernews.com/2011/08/10-year-old-girl-hacker-cyfi-reveal- her.html ● Works in games such as: ○ Candy Crush Saga: http://forum.xda-developers.com/showthread. php?t=2235910 ○ Pocket Trains (jobs finish faster by moving clock forward BUT trains may then have negative fuel)
Disconnection and Latency ● Higher disconnection, higher latency, and high data loss on mobile devices. ● Detecting time state attacks is much harder… (e.g., disconnect device from Wi-Fi) ● Double-edge sword for player: ○ In favor: disconnect on imminent loss, no penalty. Example: FIFA ‘14 ○ Not in favor: dead as you know it
Faking Location and Sensor Data ● For augmented reality or location-based games ● Was a big problem for Foursquare ● Easy to spoof gyroscope, accelerometer, compass, geolocation data --especially on a rooted or jailbroken device ● “Most systems currently lack software or hardware checks (e.g., Trusted Platform Module)” (Yahyavi, Pang, and Kemme)
API Abuse ● Use a proxy as middle-man (e.g., mitmproxy) ● iOS allows for system-wide HTTP proxy ● Example (now fixed): Apple Game Center ○ Attack 1: intercept and modify score-value field ○ Attack 2: capture email hashes (SHA-1) ○ Source: “Hacking iOS Game Center and Passbook with Proxies” by Karl Fosaaen, NetSPI http: //louisvilleinfosec.com/wp- content/uploads/2013/02/KarlFosaaen-iOS-GC-and- PB.pdf
Source: https://www.netspi.com/Portals/0/images/Blog/GameCenter-Blog-Cut-The-Rope.png
Privacy and Information Leakage ● Still way too many apps and developers transmit data HTTP (i.e., plaintext) and not HTTPS ● App permissions hell: http://blog.zscaler.com/angry-apps-saga ● Two years ago, Angry Birds and many other iOS games were calling ABAddressBookCopyArrayOfAllPeople. Source: http: //blog.veracode.com/2012/02/adios-say-goodbye-to-nosy-iphone- apps/ ● Example: QuizUp http://www.theverge. com/2013/11/26/5146998/quizup-security-privacy-issues-fix-on-the- way ● Facebook, Twitter, etc. credentials stored in plaintext in SQLite databases (thanks Joey Peloquin)
Existing Security Mechanisms ● Banning ● Penalties ● CAPTCHAs ● Hash functions and checksums ● (PC games have more glorified mechanisms including PunkBuster, Valve Anti-Cheat, Warden for WoW) ● Mobile Guard: continuous exchange of protection mechanisms between client and server (Grimen, Mönch, Midtstraum) ● Dead reckoning to predict location of player at certain moment
Proposed Solutions (Yahyavi, Pang, Kemme) ● Verify Wi-Fi position by sending nearest SSIDs and their signal strength ● Q&A using local places information (e.g., Google Places API). So we have a game within a game ● Verify unreachable positions (e.g., middle of ocean) via path ● Verify location using picture taken from camera => reverse image search ● Verify network statistics and information, carrier specific (e.g., via AT&T API) ● Facial recognition via camera and biometrics for transaction security
The Good News ● Many complexities (and hence, culprits), are not available in mobile games (Bono, Caselden, Landau, Miller): ○ Third-party plugins ○ User-generated content (e.g., the “nude patch”) ○ Scripting engines ○ Botting (without a lot of difficulties)
What’s the Loss (or why do we care)? 1. Players - loss of fun; declining resources (including battery life); loss of purchased virtual goods; loss of personal data; spike in cell phone and credit card bills 2. Game Developers - loss revenue from in-app purchases or from the app itself; bad data; cost for computing services increase 3. Carriers and Computing Services- declining quality of service 4. Platforms (e.g., iOS, Android)
To Ponder ● Mobile games is a great arena to see whatcouldpossiblegowrong in the mobile space ● No one wins; everyone’s reputation and a lot of money are at stake ● Many stories; a mess as evident by the cases presented ● Question: what’s the trust model now? ● The bigger question: why are we not emphasizing on the security of mobile games?
Additional References ● G. Grimen, C. Mönch, R. Midtstraum, “Tamper Protection of Online Clients through Random Checksum Algorithms,” in Proceedings of Information Systems Technology and its Applications 5th International Conference (ISTA 2006), May 2006. ● Stephen Bono , Dan Caselden , Gabriel Landau , Charlie Miller, Reducing the Attack Surface in Massively Multiplayer Online Role-Playing Games, IEEE Security and Privacy, v.7 n.3, p.13-19, May 2009. ● A. Yahyavi, J. Pang, B. Kemme, "Towards Providing Security For Mobile Games," in Proceedings of 8th ACM MobiCom Workshop on Mobility in the Evolving Internet Architecture (MobiArch), Miami, USA, 2013, p47-52. http://www.cs.mcgill.ca/~syahya/Yahyavi-MobiArch- MobGameSec.pdf ● “AWS Case Study: Supercell” http://aws.amazon.com/solutions/case-studies/supercell/ ● “Building Mobile Games on AWS” http://www.slideshare.net/AmazonWebServices/building- mobile-games-on-aws-gmg301 ● http://www.bloomberg.com/news/2014-01-29/nsa-spying-on-apps-shows-perils-of-google-candy- crush-.html

Recommended

Xu hướng trong trò chơi di động tại châu Á
Xu hướng trong trò chơi di động tại châu ÁXu hướng trong trò chơi di động tại châu Á
Xu hướng trong trò chơi di động tại châu Á
LamGame
 
Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012
Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012
Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012
Volker Hirsch
 
A Mobile Introductory
A Mobile IntroductoryA Mobile Introductory
A Mobile Introductory
University of Central Lancashire
 
MobileMiner and NervousNet
MobileMiner and NervousNetMobileMiner and NervousNet
MobileMiner and NervousNet
kingsBSD
 
TIGA GameDev Night Leeds Sept 2012
TIGA GameDev Night Leeds Sept 2012TIGA GameDev Night Leeds Sept 2012
TIGA GameDev Night Leeds Sept 2012
Volker Hirsch
 
State of the Video Game Industry
State of the Video Game IndustryState of the Video Game Industry
State of the Video Game Industry
Margaret Wallace
 
Smartphones
SmartphonesSmartphones
Smartphones
Freexprezz
 
Smartphones
SmartphonesSmartphones
Smartphones
Freexprezz
 

Recommended

Xu hướng trong trò chơi di động tại châu Á
Xu hướng trong trò chơi di động tại châu ÁXu hướng trong trò chơi di động tại châu Á
Xu hướng trong trò chơi di động tại châu Á
LamGame
 
Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012
Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012
Mobile + Social: Why BlackBerry is Perfect - GDC Europe 2012
Volker Hirsch
 
A Mobile Introductory
A Mobile IntroductoryA Mobile Introductory
A Mobile Introductory
University of Central Lancashire
 
MobileMiner and NervousNet
MobileMiner and NervousNetMobileMiner and NervousNet
MobileMiner and NervousNet
kingsBSD
 
TIGA GameDev Night Leeds Sept 2012
TIGA GameDev Night Leeds Sept 2012TIGA GameDev Night Leeds Sept 2012
TIGA GameDev Night Leeds Sept 2012
Volker Hirsch
 
State of the Video Game Industry
State of the Video Game IndustryState of the Video Game Industry
State of the Video Game Industry
Margaret Wallace
 
Smartphones
SmartphonesSmartphones
Smartphones
Freexprezz
 
Smartphones
SmartphonesSmartphones
Smartphones
Freexprezz
 
Webinar on career in Mobile Gaming and Application | Learning Catalyst
Webinar on career in Mobile Gaming and Application | Learning CatalystWebinar on career in Mobile Gaming and Application | Learning Catalyst
Webinar on career in Mobile Gaming and Application | Learning Catalyst
S P Jain Institute of Management & Research (SPJIMR)
 
Android gamesanalysis hunger-gamesfinal
Android gamesanalysis hunger-gamesfinalAndroid gamesanalysis hunger-gamesfinal
Android gamesanalysis hunger-gamesfinal
Milind Gokhale
 
Telecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open MobileTelecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open Mobile
MobileMonday Norway
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
Android vs ios
Android vs iosAndroid vs ios
Android vs ios
Meenal Singhal
 
Emerging web technologies2012
Emerging web technologies2012Emerging web technologies2012
Emerging web technologies2012bthat
 
AppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs NativeAppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs Native
Sebastian de Mel
 
Introduction to Android
Introduction to AndroidIntroduction to Android
Introduction to Android
MUFIX Community
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
 
Marketplace Innovation report Q2 2015
Marketplace Innovation report Q2 2015Marketplace Innovation report Q2 2015
Marketplace Innovation report Q2 2015
Endava
 
safe journey
safe journeysafe journey
safe journey
Sunreeta Sen
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
Droidcon2013 commercialsuccess rannenberg
Droidcon2013 commercialsuccess rannenbergDroidcon2013 commercialsuccess rannenberg
Droidcon2013 commercialsuccess rannenbergDroidcon Berlin
 
Project NGX - Proposal
Project NGX - ProposalProject NGX - Proposal
Project NGX - Proposal
Matthew Chang
 
Emerging web technologies 2014
Emerging web technologies 2014Emerging web technologies 2014
Emerging web technologies 2014
bthat
 
Mobile gaming
Mobile gamingMobile gaming
Mobile gaming
Touseef Ahmad
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
The Security of Things Forum
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
Abraham Aranguren
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Dell jort kollerie
Dell jort kollerieDell jort kollerie
Dell jort kollerie
BigDataExpo
 
Application parallelisation Android - Klaas Vangend
Application parallelisation Android - Klaas VangendApplication parallelisation Android - Klaas Vangend
Application parallelisation Android - Klaas Vangend
ナム-Nam Nguyễn
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDK
ナム-Nam Nguyễn
 

More Related Content

Similar to Abusing mobilegames

Webinar on career in Mobile Gaming and Application | Learning Catalyst
Webinar on career in Mobile Gaming and Application | Learning CatalystWebinar on career in Mobile Gaming and Application | Learning Catalyst
Webinar on career in Mobile Gaming and Application | Learning Catalyst
S P Jain Institute of Management & Research (SPJIMR)
 
Android gamesanalysis hunger-gamesfinal
Android gamesanalysis hunger-gamesfinalAndroid gamesanalysis hunger-gamesfinal
Android gamesanalysis hunger-gamesfinal
Milind Gokhale
 
Telecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open MobileTelecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open Mobile
MobileMonday Norway
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
Android vs ios
Android vs iosAndroid vs ios
Android vs ios
Meenal Singhal
 
Emerging web technologies2012
Emerging web technologies2012Emerging web technologies2012
Emerging web technologies2012bthat
 
AppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs NativeAppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs Native
Sebastian de Mel
 
Introduction to Android
Introduction to AndroidIntroduction to Android
Introduction to Android
MUFIX Community
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
 
Marketplace Innovation report Q2 2015
Marketplace Innovation report Q2 2015Marketplace Innovation report Q2 2015
Marketplace Innovation report Q2 2015
Endava
 
safe journey
safe journeysafe journey
safe journey
Sunreeta Sen
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
Droidcon2013 commercialsuccess rannenberg
Droidcon2013 commercialsuccess rannenbergDroidcon2013 commercialsuccess rannenberg
Droidcon2013 commercialsuccess rannenbergDroidcon Berlin
 
Project NGX - Proposal
Project NGX - ProposalProject NGX - Proposal
Project NGX - Proposal
Matthew Chang
 
Emerging web technologies 2014
Emerging web technologies 2014Emerging web technologies 2014
Emerging web technologies 2014
bthat
 
Mobile gaming
Mobile gamingMobile gaming
Mobile gaming
Touseef Ahmad
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
The Security of Things Forum
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
Abraham Aranguren
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Dell jort kollerie
Dell jort kollerieDell jort kollerie
Dell jort kollerie
BigDataExpo
 

Similar to Abusing mobilegames (20)

Webinar on career in Mobile Gaming and Application | Learning Catalyst
Webinar on career in Mobile Gaming and Application | Learning CatalystWebinar on career in Mobile Gaming and Application | Learning Catalyst
Webinar on career in Mobile Gaming and Application | Learning Catalyst
 
Android gamesanalysis hunger-gamesfinal
Android gamesanalysis hunger-gamesfinalAndroid gamesanalysis hunger-gamesfinal
Android gamesanalysis hunger-gamesfinal
 
Telecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open MobileTelecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open Mobile
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
Android vs ios
Android vs iosAndroid vs ios
Android vs ios
 
Emerging web technologies2012
Emerging web technologies2012Emerging web technologies2012
Emerging web technologies2012
 
AppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs NativeAppTalk Frontline: Web vs Hybrid vs Native
AppTalk Frontline: Web vs Hybrid vs Native
 
Introduction to Android
Introduction to AndroidIntroduction to Android
Introduction to Android
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Marketplace Innovation report Q2 2015
Marketplace Innovation report Q2 2015Marketplace Innovation report Q2 2015
Marketplace Innovation report Q2 2015
 
safe journey
safe journeysafe journey
safe journey
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Droidcon2013 commercialsuccess rannenberg
Droidcon2013 commercialsuccess rannenbergDroidcon2013 commercialsuccess rannenberg
Droidcon2013 commercialsuccess rannenberg
 
Project NGX - Proposal
Project NGX - ProposalProject NGX - Proposal
Project NGX - Proposal
 
Emerging web technologies 2014
Emerging web technologies 2014Emerging web technologies 2014
Emerging web technologies 2014
 
Mobile gaming
Mobile gamingMobile gaming
Mobile gaming
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Dell jort kollerie
Dell jort kollerieDell jort kollerie
Dell jort kollerie
 

More from ナム-Nam Nguyễn

Application parallelisation Android - Klaas Vangend
Application parallelisation Android - Klaas VangendApplication parallelisation Android - Klaas Vangend
Application parallelisation Android - Klaas Vangend
ナム-Nam Nguyễn
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDK
ナム-Nam Nguyễn
 
AI in Games- Steering, Wander and Flocking behavior
AI in Games- Steering, Wander and Flocking behaviorAI in Games- Steering, Wander and Flocking behavior
AI in Games- Steering, Wander and Flocking behavior
ナム-Nam Nguyễn
 
Bullet Physic Engine SDK
Bullet Physic Engine SDKBullet Physic Engine SDK
Bullet Physic Engine SDK
ナム-Nam Nguyễn
 
Improved Alpha-Tested Magnification for Vector Textures and Special Effects
Improved Alpha-Tested Magnification for Vector Textures and Special EffectsImproved Alpha-Tested Magnification for Vector Textures and Special Effects
Improved Alpha-Tested Magnification for Vector Textures and Special Effects
ナム-Nam Nguyễn
 
Unite 2013 optimizing unity games for mobile platforms
Unite 2013 optimizing unity games for mobile platformsUnite 2013 optimizing unity games for mobile platforms
Unite 2013 optimizing unity games for mobile platforms
ナム-Nam Nguyễn
 
China mobile games and entertainment group
China mobile games and entertainment group China mobile games and entertainment group
China mobile games and entertainment group
ナム-Nam Nguyễn
 
Success stories compilation of game-based learning initiatives in adults educ...
Success stories compilation of game-based learning initiatives in adults educ...Success stories compilation of game-based learning initiatives in adults educ...
Success stories compilation of game-based learning initiatives in adults educ...
ナム-Nam Nguyễn
 
CEO Survey Report of Japanese Video Game Developers - Mirko Ernkvist
CEO Survey Report of Japanese Video Game Developers - Mirko ErnkvistCEO Survey Report of Japanese Video Game Developers - Mirko Ernkvist
CEO Survey Report of Japanese Video Game Developers - Mirko Ernkvistナム-Nam Nguyễn
 
Possibilities of non commercial game
Possibilities of non commercial gamePossibilities of non commercial game
Possibilities of non commercial gameナム-Nam Nguyễn
 
Children's Books, Stories and Songs - Children literature
Children's Books, Stories and Songs - Children literatureChildren's Books, Stories and Songs - Children literature
Children's Books, Stories and Songs - Children literatureナム-Nam Nguyễn
 
Physics for Game Programmers: Spatial Data Structures
Physics for Game Programmers: Spatial Data StructuresPhysics for Game Programmers: Spatial Data Structures
Physics for Game Programmers: Spatial Data Structures
ナム-Nam Nguyễn
 
The Economics of the “China Price”
The Economics of the “China Price”The Economics of the “China Price”
The Economics of the “China Price”
ナム-Nam Nguyễn
 
Smoothed Particle Hydrodynamics
Smoothed Particle HydrodynamicsSmoothed Particle Hydrodynamics
Smoothed Particle Hydrodynamics
ナム-Nam Nguyễn
 
Playability and Player Experience Research
Playability and Player Experience ResearchPlayability and Player Experience Research
Playability and Player Experience Researchナム-Nam Nguyễn
 
Android Lifecycle Basics in Practice.
Android Lifecycle Basics in Practice.Android Lifecycle Basics in Practice.
Android Lifecycle Basics in Practice.
ナム-Nam Nguyễn
 
Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...
Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...
Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...
ナム-Nam Nguyễn
 
Luoc su duc phat thich nu hue ngan core- da chuyen
Luoc su duc phat thich nu hue ngan core- da chuyenLuoc su duc phat thich nu hue ngan core- da chuyen
Luoc su duc phat thich nu hue ngan core- da chuyenナム-Nam Nguyễn
 

More from ナム-Nam Nguyễn (20)

Application parallelisation Android - Klaas Vangend
Application parallelisation Android - Klaas VangendApplication parallelisation Android - Klaas Vangend
Application parallelisation Android - Klaas Vangend
 
Getting Native with NDK
Getting Native with NDKGetting Native with NDK
Getting Native with NDK
 
AI in Games- Steering, Wander and Flocking behavior
AI in Games- Steering, Wander and Flocking behaviorAI in Games- Steering, Wander and Flocking behavior
AI in Games- Steering, Wander and Flocking behavior
 
Bullet Physic Engine SDK
Bullet Physic Engine SDKBullet Physic Engine SDK
Bullet Physic Engine SDK
 
Improved Alpha-Tested Magnification for Vector Textures and Special Effects
Improved Alpha-Tested Magnification for Vector Textures and Special EffectsImproved Alpha-Tested Magnification for Vector Textures and Special Effects
Improved Alpha-Tested Magnification for Vector Textures and Special Effects
 
Unite 2013 optimizing unity games for mobile platforms
Unite 2013 optimizing unity games for mobile platformsUnite 2013 optimizing unity games for mobile platforms
Unite 2013 optimizing unity games for mobile platforms
 
China mobile games and entertainment group
China mobile games and entertainment group China mobile games and entertainment group
China mobile games and entertainment group
 
Success stories compilation of game-based learning initiatives in adults educ...
Success stories compilation of game-based learning initiatives in adults educ...Success stories compilation of game-based learning initiatives in adults educ...
Success stories compilation of game-based learning initiatives in adults educ...
 
CEO Survey Report of Japanese Video Game Developers - Mirko Ernkvist
CEO Survey Report of Japanese Video Game Developers - Mirko ErnkvistCEO Survey Report of Japanese Video Game Developers - Mirko Ernkvist
CEO Survey Report of Japanese Video Game Developers - Mirko Ernkvist
 
Possibilities of non commercial game
Possibilities of non commercial gamePossibilities of non commercial game
Possibilities of non commercial game
 
Children's Books, Stories and Songs - Children literature
Children's Books, Stories and Songs - Children literatureChildren's Books, Stories and Songs - Children literature
Children's Books, Stories and Songs - Children literature
 
MGI Big data full report
MGI Big data full reportMGI Big data full report
MGI Big data full report
 
Ai.game.wisdom
Ai.game.wisdomAi.game.wisdom
Ai.game.wisdom
 
Physics for Game Programmers: Spatial Data Structures
Physics for Game Programmers: Spatial Data StructuresPhysics for Game Programmers: Spatial Data Structures
Physics for Game Programmers: Spatial Data Structures
 
The Economics of the “China Price”
The Economics of the “China Price”The Economics of the “China Price”
The Economics of the “China Price”
 
Smoothed Particle Hydrodynamics
Smoothed Particle HydrodynamicsSmoothed Particle Hydrodynamics
Smoothed Particle Hydrodynamics
 
Playability and Player Experience Research
Playability and Player Experience ResearchPlayability and Player Experience Research
Playability and Player Experience Research
 
Android Lifecycle Basics in Practice.
Android Lifecycle Basics in Practice.Android Lifecycle Basics in Practice.
Android Lifecycle Basics in Practice.
 
Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...
Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...
Practical Source Code for Ship Motions Time Domain Numerical Analysis and Its...
 
Luoc su duc phat thich nu hue ngan core- da chuyen
Luoc su duc phat thich nu hue ngan core- da chuyenLuoc su duc phat thich nu hue ngan core- da chuyen
Luoc su duc phat thich nu hue ngan core- da chuyen
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 

Abusing mobilegames

  • 1. Abusing Mobile Games Ming Chow mchow@cs.tufts.edu @0xmchow
  • 2. Mobile Games: The Not-So Surprising Numbers ● “Worldwide spending on mobile game apps tripled in 2013 to $16B” (http://venturebeat.com/2014/02/19/worldwide-spending-on-mobile- game-apps-tripled-in-2013-to-16b/) ● “Mobile games account for top global apps worldwide in Jan 2014” (http://e27.co/mobile-games-account-for-top-global-apps- worldwide-in-jan-2014/) ● “Gaming apps accounted for around 41% of downloads from the Apple and Google stores, and was 61% on Amazon” (http://blogs. wsj.com/digits/2014/04/10/the-one-thing-mobile-users-can-agree- on-games/)
  • 3. Mobile: What We Know ● Devices are of high value, can be easily lost or broken ● Has good computational power ● It is “always on” (including networking) ● Features: GPS, accelerometer, compass, bluetooth, Wi- Fi, NFC ● Constraints: battery, screen size, input ● New security model including app distribution ● No authorized method for gaining administrative access by default
  • 4. What Has Changed for Games ● Development cycle and cost ● The goal for players ● Business model ● Distribution of game client and content ● Dependency on network connection and third-party systems
  • 5. Typical Architecture of Mobile Games ● The game client ● Servers ● APIs ● Operating System ● Mobile Carriers
  • 6. Motivations for Abuse, Unethical Behavior ● Don’t want to grind ● Don’t want to wait for next full meter ● Don’t want to spend money on virtual goods ● Don’t want to lose ● Achievements ● Want to win ● Want to steal data
  • 7. Abuse Mechanisms ● File modifications and tampering ● Malware and piracy ● Time state attacks ● Faking location and sensor data ● Disconnection and latency ● API abuse
  • 8. File Modifications and Tampering ● Game data commonly stored in .plist or XML files or in SQLite databases on the client side (the app) ● Example: Pocket Trains ○ iOS: Edit the .plist file under preferences for the game; risk getting banned ○ Android (assumes rooted device): Edit the file root/data/data/com.nimblebit. pockettrains/shared_prefs/com.nimblebit. pockettrains.xml ○ Source: http://www.pockettrainswiki.com/wiki/Cheating
  • 9. Malware ● Repackage apps on Android ● Example 1: Freedom (Android) - reveals “hackable” applications on device; in-app purchases made free through middle-man, not through Google Play http: //www.netnames.com/blog/2013/09/in-appropriate- mobile-behaviour/ ● Example 2: Flappy Birds http://nakedsecurity.sophos. com/2014/02/11/flappy-bird-really-is-dead-beware-of- infected-fakes-that-promise-to-keep-him-alive/
  • 10. Out-of-Band Spam ● Case-in-point, do a search for candy crush saga cheats ● Seedy ad networks http://blog.trendmicro. com/leaky-ad-networks-put-mobile-game- players-risk/ ● ...leading to potentially malicious websites and networks
  • 11. Time State Attacks ● Many games are dependent on the actual time ● The idea: (incrementally) change the phone or tablet's internal clock forward or backwards ● “10 year old girl hacker CyFi reveal her first zero-day in Game at #DefCon 19” http://thehackernews.com/2011/08/10-year-old-girl-hacker-cyfi-reveal- her.html ● Works in games such as: ○ Candy Crush Saga: http://forum.xda-developers.com/showthread. php?t=2235910 ○ Pocket Trains (jobs finish faster by moving clock forward BUT trains may then have negative fuel)
  • 12. Disconnection and Latency ● Higher disconnection, higher latency, and high data loss on mobile devices. ● Detecting time state attacks is much harder… (e.g., disconnect device from Wi-Fi) ● Double-edge sword for player: ○ In favor: disconnect on imminent loss, no penalty. Example: FIFA ‘14 ○ Not in favor: dead as you know it
  • 13. Faking Location and Sensor Data ● For augmented reality or location-based games ● Was a big problem for Foursquare ● Easy to spoof gyroscope, accelerometer, compass, geolocation data --especially on a rooted or jailbroken device ● “Most systems currently lack software or hardware checks (e.g., Trusted Platform Module)” (Yahyavi, Pang, and Kemme)
  • 14. API Abuse ● Use a proxy as middle-man (e.g., mitmproxy) ● iOS allows for system-wide HTTP proxy ● Example (now fixed): Apple Game Center ○ Attack 1: intercept and modify score-value field ○ Attack 2: capture email hashes (SHA-1) ○ Source: “Hacking iOS Game Center and Passbook with Proxies” by Karl Fosaaen, NetSPI http: //louisvilleinfosec.com/wp- content/uploads/2013/02/KarlFosaaen-iOS-GC-and- PB.pdf
  • 16. Privacy and Information Leakage ● Still way too many apps and developers transmit data HTTP (i.e., plaintext) and not HTTPS ● App permissions hell: http://blog.zscaler.com/angry-apps-saga ● Two years ago, Angry Birds and many other iOS games were calling ABAddressBookCopyArrayOfAllPeople. Source: http: //blog.veracode.com/2012/02/adios-say-goodbye-to-nosy-iphone- apps/ ● Example: QuizUp http://www.theverge. com/2013/11/26/5146998/quizup-security-privacy-issues-fix-on-the- way ● Facebook, Twitter, etc. credentials stored in plaintext in SQLite databases (thanks Joey Peloquin)
  • 17. Existing Security Mechanisms ● Banning ● Penalties ● CAPTCHAs ● Hash functions and checksums ● (PC games have more glorified mechanisms including PunkBuster, Valve Anti-Cheat, Warden for WoW) ● Mobile Guard: continuous exchange of protection mechanisms between client and server (Grimen, Mönch, Midtstraum) ● Dead reckoning to predict location of player at certain moment
  • 18. Proposed Solutions (Yahyavi, Pang, Kemme) ● Verify Wi-Fi position by sending nearest SSIDs and their signal strength ● Q&A using local places information (e.g., Google Places API). So we have a game within a game ● Verify unreachable positions (e.g., middle of ocean) via path ● Verify location using picture taken from camera => reverse image search ● Verify network statistics and information, carrier specific (e.g., via AT&T API) ● Facial recognition via camera and biometrics for transaction security
  • 19. The Good News ● Many complexities (and hence, culprits), are not available in mobile games (Bono, Caselden, Landau, Miller): ○ Third-party plugins ○ User-generated content (e.g., the “nude patch”) ○ Scripting engines ○ Botting (without a lot of difficulties)
  • 20. What’s the Loss (or why do we care)? 1. Players - loss of fun; declining resources (including battery life); loss of purchased virtual goods; loss of personal data; spike in cell phone and credit card bills 2. Game Developers - loss revenue from in-app purchases or from the app itself; bad data; cost for computing services increase 3. Carriers and Computing Services- declining quality of service 4. Platforms (e.g., iOS, Android)
  • 21. To Ponder ● Mobile games is a great arena to see whatcouldpossiblegowrong in the mobile space ● No one wins; everyone’s reputation and a lot of money are at stake ● Many stories; a mess as evident by the cases presented ● Question: what’s the trust model now? ● The bigger question: why are we not emphasizing on the security of mobile games?
  • 22. Additional References ● G. Grimen, C. Mönch, R. Midtstraum, “Tamper Protection of Online Clients through Random Checksum Algorithms,” in Proceedings of Information Systems Technology and its Applications 5th International Conference (ISTA 2006), May 2006. ● Stephen Bono , Dan Caselden , Gabriel Landau , Charlie Miller, Reducing the Attack Surface in Massively Multiplayer Online Role-Playing Games, IEEE Security and Privacy, v.7 n.3, p.13-19, May 2009. ● A. Yahyavi, J. Pang, B. Kemme, "Towards Providing Security For Mobile Games," in Proceedings of 8th ACM MobiCom Workshop on Mobility in the Evolving Internet Architecture (MobiArch), Miami, USA, 2013, p47-52. http://www.cs.mcgill.ca/~syahya/Yahyavi-MobiArch- MobGameSec.pdf ● “AWS Case Study: Supercell” http://aws.amazon.com/solutions/case-studies/supercell/ ● “Building Mobile Games on AWS” http://www.slideshare.net/AmazonWebServices/building- mobile-games-on-aws-gmg301 ● http://www.bloomberg.com/news/2014-01-29/nsa-spying-on-apps-shows-perils-of-google-candy- crush-.html