Ask Slashdot: How Serious Is Hacking In Mobile Games? 86
Origen writes: As a developer contemplating trying out the mobile game scene, a GDC session about hacking/tampering looked interesting — but I wasn't able to attend. The presentation isn't available online, but it was paired with a whitepaper [contact details required], which can be downloaded. I'm surprised by some of the information presented and the potential for damage/mischief. Not so much that these issues are unheard of — they've existed for years on other platforms. What I find surprising is the lack of support at the OS level on mobile devices to defend from many of these types of hacks. Have we learned nothing from the pains of the past? How significant are the points about hacking/piracy in the mobile space that are discussed by this whitepaper?
Submit the replay file (Score:2)
Have the client record input log during gameplay and submit it to the server once the game completes, then replay it on the server when verifying a submitted score. If you really want to block an offline tool-assisted speedrun, require the client to submit a piece of the input log every five seconds or so.
Re: Take a page from the China mobile game scene (Score:3, Insightful)
You can't pirate free apps. The question for these become; how rampant is piracy or hacking for getting the in-game stuff for free.
Re: (Score:2)
You can't pirate free apps. The question for these become; how rampant is piracy or hacking for getting the in-game stuff for free.
If you put out an app, it will get hacked. It has been this way since the 70's. Nothing has fucking changed, 'cept the Twenty somethings that do NOT know computer history at all and thinks everything is new.
If you are a developer, the app you put out will be hacked. Always has been, always will be, nothing will change that. The question is, as the developer and knowing your app will be hack, how do you respond? Do you then fuck over your paying customers by putting in draconian DRM, or do you ma
Re: (Score:2)
Only problem with that logic is that EA and Ubisoft are quite successful right now, which only sets an example that extreme DRM, DLC, and releasing only a few hours worth of content and calling it a game is the way to earn money in the industry. Especially with consoles where there is a 0% piracy rate and the game developers control everything on that platform.
Of course, it would be nice to see another ID or Bioware. I'm sure there is money to be made on games with a long tail like Neverwinter Nights and
If you don't control it it's compromised. (Score:2, Informative)
OS level protection wouldn't do much if someone's really dedicated, they'll just remove those protections if needed. Assume everything coming through an internet connection is compromised, don't trust your game client.
Re: (Score:2)
besides,
the key is to not trust the client. for highscores/top-times, run a simulation of the game run on the server from the inputs.
for ingame bought stuff, there is protections. you can check on your server if the player actually paid for the stuff. or you can skip that check and lose money.
you cannot trust the client - I mean, what the fuck are the protections on the "os" going to do when the game might not even be running on the target os! I mean, the client might be an entirely different program!
Re:If you don't control it it's compromised. (Score:5, Interesting)
the key is to not trust the client. for highscores/top-times, run a simulation of the game run on the server from the inputs.
How do you know you can trust the reported inputs? And you can't run a simulation if your game has (truly) random elements, nor can you allow for all device idiosyncracies.
Now if you'll excuse me, I need to continue work on my Arduino-controlled Wiimote holder so I can finally get a perfect game on Bit.trip Beat.
Re: (Score:2)
At least the first level of Bit.Trip Beat is pretty easy (I've nearly had perfect scores on multiple occasions, having made it through the toughest parts and then missing easy ones late in the level, all while only playing it casually). But yeah, for those later levels...guh.
Re: (Score:2)
I've nearly had perfect scores on multiple occasions
Exactly. Nearly. Gah!
Re: (Score:2)
Re: (Score:2)
PvP is a problem though. There's not a lot you can do to prevent some forms of cheating in PvP, but on the mobile space PvP isn't nearly as important anyway. Usually it boils down to "u
Re: (Score:2)
For real security, the client should just be "eyes/ears" for the server, similar to how MMOs are. This was true back in the UO days, and is true now.
At least phones and mobile devices are easier to track and ban cheaters because you can ban an account and if any new accounts touch that device's IMEI, they get auto-banned after a random period of time as well. A simple check for a su binary on Android or a check if one can write outside the app's directory in iOS will deal with rooted/jailbroken devices.
An
Re:If you don't control it it's compromised. (Score:5, Interesting)
I would simply take the same approach you should take with PC games. If it's single player, don't bother. You are wasting resources, resources you can use to make your game just a little more awesome. (more awesome == more sales) Wit multiplayer games, the key point is the server. The server should not trust clients and use heuristics to detect suspicious behavior. Then give administrators the means to moderate their users. (Or a vote system.) Bad behavior is a real issue with multiplayer games, but that is not limited to cheating.
But since we are talking about mobile games; are users cheating you on the premium currency? Treat is like any other piracy, ignore it and try to win users by making the cooler more awesome game. Maybe communicate that you are an independent developer and need the money to make games.
Achievements (Score:2)
If it's single player, don't bother.
On some popular video game platforms, no major single-player game is truly single-player. For a decade, it has become a race among friends to get the achievements first.
Re: (Score:2)
+1
Achievement unlocked: Completed the hamster wheel.
Please don't tempt Apple (Score:2)
People already think Apple's walled garden and sandboxing go overboard. Remember that legit developers have to pay Apple $99/year just to develop+run an app on their own device. Apple also has a long list of requirements about what your app not allowed to do. I'd really hate to see what they do if they got *serious* about locking down the platform.
Re: (Score:2)
Still not much compared to a developers salary.
In what country? Different countries have different currencies with different exchange rates to the United States dollar. The cost of a Mac and a certificate are based on exchange rate, not purchasing power parity. And I was under the impression that in order to build demonstrable skills, programmers new to iOS had to each buy a Mac and iPad mini and pay for a certificate out of their own respective pockets before they could get hired for the first time.
That way of thinking is wrong... (Score:1)
Blocking any form of "hacking" will also hurt legitimate users. For example, being able to install an APK manually, not every devices come with the Google Play store and quite frankly the Amazon appstore is extremely lacking compared to the Play store. So being able to install apk is a life saver.
Removing similar features will just hurt the userbase even more.
Re: (Score:1)
Re: (Score:2)
If you want to run an application that is exclusive to Google Play Store, you have two options. The first is to inform the application's publisher that it is leaving money on the table by not also selling on Amazon. The second is to buy a Nexus device, which comes with Google Play Store access.
Nothing learned? (Score:4, Informative)
On the contrary, mobile devices and hardware are awash in security features [apple.com]. Hardware based chain-of-trust, encrypted storage, signed applications, detailed permissions... these are all lessons learned from their big brother operating systems. Modern mobile OSes are actually far more difficult to maliciously subvert than PC systems, but of course, many of those features mean they're also closed systems, and aren't nearly as flexible. It's definitely a trade off. We see that pretty clearly with Android vs iOS, where iOS has a miniscule amount of malware simply by virtue of being a closed system.
In terms of game development, I think the focus is more on hacking the client than hacking the OS. As a former MMO dev, the rule was that you really can't trust *anything* the client gives you. Simple as that. It makes development a hell of a lot harder, but time and time again we see new MMOs or multiplayer games (presumably created by inexperienced developers) that break this cardinal rule and get hacked all to hell and back.
Re: (Score:2)
^ Good post, thank you.
Re: (Score:2)
You buy the Shiny Gold Mace of Obliteration for 20,000 gold, client tells that to server, server runs the numbers to make sure you actually have at least 20,000 gold, said mace is available for purchase, the stats on said mace check with whatever is on the game database, etc.
That's part of the reason some MMOs have chronical lag issues, no matter how low your ping is. If all that o
Re: (Score:2)
Yes, all the fighting calculations are done on the server. The client doesn't get to do the dice roll for how much damage a swing of their golden mace did. However the client will do their own temporary calculations as to whether the mace can swing (target is in range, last swing is complete etc.) and update the graphics to start showing the swing. Generally the server will return with the damage, or whether it was a miss/block, before the graphical swing is complete, and the client can therefore show th
Re: (Score:3)
I should clarify that statement a bit: nothing related to actual game state from the client can be trusted. In other words, for instance, you wouldn't rely on the client performing hit-detection and telling the server "I just attacked and hit this creature for x damage". Instead, you would only relay the raw input commands (e.g. "I just pressed the command to cast a fireball") from the client to the server, and it's the server that processes all the game logic, then sends the result back to the client as
Probably not (Score:1)
Complex topic, I would "no" at least in the scope "should you as a developer take significant steps to prevent hacking"
Consider following:
1) The whitepaper is from a company selling services for this, they want to paint a grim picture
2) Like PC with piracy, Android/jailbroken iOS piracy is likely something you can't solve, but it will take a lot of time & money to fight
3) People downloading pirated games are pretty much lost audience, they were not planning to buy upfront anyhow
4) Anti-piracy measures c
OS Level protections = DRM (Score:4, Insightful)
We don't need "OS level protections". It's your phone, you control all the code on it. Same as on your PC. Are you really fucking bitching that phones don't have enough fucking DRM? I'm sure glad to give up all my freedoms so some teenager can't cheat in clash of fucking clans.
Re:OS Level protections = DRM (Score:4, Interesting)
As a note: a lot of games already try to detect jailbroken iphones and refuse to play. Because OBVIOUSLY, if you are jailbroken, it must be to cheat at their stupid games. That's like refusing to run if your machine has a local admin account, or the root user has a fucking shell attached. Ludicrous.
Anyone who wants more of this shit hasn't had the first thought on the topic yet.
Re:OS Level protections = DRM (Score:4, Informative)
I know this is a troll, but in case anyone is mislead I want to clear up a factual error:
Jailbroken iPhones absolutely can make purchases from the App Store. I have a history of jailbreaking my phones when they get old to enable certain mods and extensions that are not supported by Apple (for example, I had a notification center on my iPhone before Apple released theirs in iOS 7). It didn't change anything about the way I ran or installed my official App Store apps, and I never downloaded a pirated app.
Re: (Score:2)
Man, I think the last anything I pirated was X-Wing in the 90s. Then I asked for it for Christmas. But fuck you too.
I've got a jailbroken iphone, and I've pirated not one goddamned thing. There's a lot of reasons to jailbreak- "the default UI fucks up your background with a goddamned gradient .png file" was my breaking point, but there's others. None of them are piracy. You think things are piracy because you have a filter on, and you think people should be shackled to the whims of developers on the ha
Re: (Score:1)
Because OBVIOUSLY, if you are jail-broken, it must be to cheat at their stupid games
No, it's more that if you have a jail-broken device, you may be using an illegitimate/copied version of the software (or movie, or whatever). Getting paid apps for "free" was actually one of the big reasons for the popularity of jailbreaks on early iPhones.
Re: (Score:2)
Irrelevant though. Whether a developer wants to point at the bogeyman of piracy or the bogeyman of cheaters, it's still my phone. The fact that I *could* be a pirate because I have root doesn't mean shit, and anyone who thinks that needs technical discouragement (mostly present), but possibly even legal discouragement as well. Ideally, we'd lose the idea of rootless phones entirely, but the model has been really helpful for its actual only good purpose- noob level users not getting ownfaced like they do
Re: (Score:1)
I didn't say I agree with it, I was just stating the mentality behind it. Personally, I find it retarded that various ports of SINGLE-PLAYER, previously DRM-FREE games - e.g. Final Fantasy series etc - have to do a phone-home check before you can run them on an Android/iDevice.
The dumbest part is that one of the first thing that happens when a pirate version of the game comes out is that all the stupid DRM shit is stripped off anyways, giving the pirates a better copy than those that legitimately purchased
Re: (Score:2)
And right there is the ONLY real answer we have had on this subject.
Thank you for being one of the only sane voices on this.
Re: (Score:1)
But.. but.. but... the leaderboard. Gotta get toprank. gotta gotta.
The paper is marketing bull (Score:4, Interesting)
Code and data obfuscation only provides false sense of security (and a large paycheck for your "security" vendor) - If i have access to binaries, have root OS access and skills to de-compile the app, obfuscation/encryption (with local key) is only a small nuisance (compared to skill required for decompilation/repackaging/on-the-fly modification)
Moving data to server-side provides a simpler attack-vector - i can MTM the (hopefully) secure connection and alter data sent to app - i don't even have to decompile the app to hack it
On-the-fly binary validation does not work (again, if i have OS level access) - i can disable/fake it.
The numbers in the paper are classic marketing bull - when are you more likely to buy an 99$ in-app purchase?
- if you can do it for free (Apple MTM bug)
- if you actually have to pay for it
TLDR:
You can't protect against hacking/repackaging if the hacker has access to binaries and root.
You can't protect against data modification if the hacker can install hes own CA on the device.
Candy Crush Saga (Score:1)
Ever hear of Candy Crush Saga?
Ever hear of CandySwipe? That's the game that came out 2 years BEFORE Candy Crush Saga (http://www.snopes.com/politics/business/candycrush.asp).
Of course, it continues to boil down to being clones / copies of earlier games (Bejewelled for example).
Artwork, design, music, sounds, ideas, most (if not all) are being stolen like crazy in the mobile market. If you don't have a thick skin, don't get into it. Chances are, you spend months, if not years, crafting a beautiful game an
Re: (Score:1)
I tried Candy Crush Saga.
It was so toploaded in derivative bullshit that had nothing to do with the core matching game that I pitched it. It was taking forever to actually get to the gameplay.
I found a simple clone that just had the actual matching game. It's fun. There isn't bullshit and animated NPC cutscenes (on a matching game. on a phone!) to deal with before you can play.
simple solution (Score:2)
Re: (Score:1)
This is always been the solution, even after such massive failures as the Valve Anti-Cheat System on PCs. Have the game analyze the size, name, and even hash of all its files when it opens. If they're different than a preapproved list that's loaded into memory for milliseconds after being unencrypted with an enormous hard-wired password, refuse to open the game. That's moderately secure, assuming they can't get to the hard wired password.
How do you trust that the user hasn't modified "the game" to make it think the hashes always pass?
Re: (Score:2)
Would "all its files" include third-party video drivers that may be modified for wall hacking, third-party pointing device drivers that may be modified for aim assist, and the like?
Re: (Score:2)
Jackass will do the polymorphic shuffle (Score:2)
It's not like 1000 people are modding the files in 1000 ways.
Yet.
Virus authors figured out polymorphic code [wikipedia.org] long ago. Now imagine one jackass making a program that shuffles the order of blocks of code in the hack [nesdev.com] so that you have 1000 files all different but with identical behavior. Thus blacklisting fails for wallhack and aimbot detection the same way it has been shown to fail for virus detection.
It's good you missed it - it was an advertisement (Score:2)
Reading the whitepaper, the whole thing seems like it's focused on promoting Arxan's services. It's entirely possible that the presentation itself took a different tone/direction, but the whitepaper itself was fairly contentless sprinkled with a few good points about older MITM attacks exploiting the In-App purchases for iOS and the high piracy rates on Android in China and Russia.
Really that last part is the thrust of the article -- high piracy rates for which they don't really offer any solution except DR
Have we learned nothing? (Score:1)
I would ask anyone in developing connected devices. What happened the last time you tried to hack your own device? And if the answer is you haven't even tried then most definitely you've learned nothing about security. If the underlying OS can't prevent hackers walking all over your memory then it's GAME OVER
They handled it well in Simpsons tapped out (Score:3)
In Simpsons tapped out, a typical time-waster of a moblie game, free with premium content, players found an exploitable bug allowing them what is basically infinite money. IIRC they handled it this way :
- they fixed the bug
- they referred to the hack an in-game event (the moral being of course : you won't get any fun by hacking)
- they gave a special item to everyone that didn't use the exploit
- they didn't penalize those who did (except by not giving them the special item)
I found it was a wonderful way to handle the situation : they didn't punish the hackers, they simply told that the non-hackers were way cooler.
The real problem (Score:1)
For an indie developer, the real problem is that almost nobody can get a significant number of players in such an over-crowded, competitive marketplace unless they have a hugely popular brand (famous movie, famous developer, famous game company, something), or millions of dollars in marketing money.
Given that your indie title with no marketing "oomph" behind it is 99.999% likely to not get a large number of players or make significant money, fixing any potential security problems in it is almost always goin