Mobile Game Hacking: Defense Against the Dark Arts | James Ahn

1. Defense Against
the Dark Arts of
Mobile Game
Hacking
James Ahn
Founder and CEO
INKA Entworks, Inc.

2. About Me
• Founder and CEO of INKA Entworks
• 17+ Years contents security experts
• Inventor of DRM interoperability
• Worked as board member of DMP
• CEO of AppSealing service
2

3. About INKA and AppSealing
• Founded in 2000, HQ in Seoul and office in Mumbai and USA (2018)
• Leading DRM tech. company with 200+ clients and partners worldwide
• AppSealing : subsidiary launched 2015, providing mobile app security SaaS
• Currently 100+ mobile games being protected
3

4. Today we will discuss
1. Landscape of Mobile Game Black Ecosystem and its impact
2. Hacking technologies
3. Technical guidance to prevent hacking
4

5. Mobile Game Black Ecosystem
• Cheating app developers/publishers
• 100+ cheating apps being used
• 80% from China
• Professional hacking service
• On-demand modding service (VIP)
• Repository for modded games
• In-game currency hacking service
• Copycat/Clone games
5

6. Modding Service
6
On Demand Repository
Service • On-demand modding
• Paid service (20-30$)
• modded games repository
• Free download
Business
Model
• Monthly subscription
• Online Ad
• Free to download
• Online Ad
Providers • androidrepublic.org (226 modded games)
• sbenny.com
• androidthaimod.com
• ACMarket
• Hackerbot
• Modsapk.com (3,695 games)
• revdl.com
• modapkdown.com
• apkdlmod.com
• apklover.net

7. In-Game Currency Hacking Service
• Process
• Access mobile url
• Name/email
• Start hacking
• Human authorization
• Mobile games download
• No rooting needed
• BM : Ad based service
• Providers
• cheatmyway.com
• apkcare.com
• cheatstrick.com
7

8. Copycat/Clone Games : Clash Royale
8

9. Copycat/Clone Games : Lilith vs uCool
9

10. Hacked Western Game in China
10
360 Mobile Assistant Games Front Page
Source: Oniix

11. Hacking Preference by Genre
11
Source: AppSealing.com

12. Top 10 Cheating Tools
12
Source: AppSealing.com

13. Hacking Methods
13
Source: AppSealing.com

14. Damage Of Mobile Game Black Ecosystem
• Game balance disruption
• Lost monetization
• Lowered ratings & downloads
• Exodus of free & paying users
• Shortened game lifecycle
• Competition with copycat/clone games
14

15. Results of Anti-Hacking Incorporation
15
RPG RPG
RPG RPG Action Casual
Shooting Casual
Casual RPG ActionRPG
Source: AppSealing.com

16. How Mobile Games Are Hacked
16
Start Run game Debugging
Analyze action and log
message
Alter code
and make mod
Analyze code
Dump memory
Hook API
DecompilingUnpack APK

17. Reversing Tools (Decompile & Tampering)
17
JADX-GUI
JD-GUI
DEX (or JAVA)
dnSpy
.NET Reflector
(/w reflexil)
ILSpy
DLL (or IL)
IDA (/w Hex-Rays)
Shared Object
APK Unpack/Pack
APKTool

18. Defending Against Hacking and Cheating Tools
• Anti-debugging and anti-tampering
• Compiling option to hide symbols
• Check APK signature/hash value of “classes.dex”, native libraries
• Obfuscation
• Proguard, Dexguard, Crypto obfuscator etc.,
• Obfuscation can be reversed
• Hide value/data of variables
• Encode data with base64
• Separate variables into “for store” and “for display”
• Encrypt data on the device
• Best practice is not to store data on the device
• If needed, encrypt data stored on the device
• Cheating Tools
• Set blacklist of cheating tools, and detect while game is running
• Use HTTPS for server and client communication
18

19. Google’s Guidance
• Best practice for secure IAB from Google
• http://developer.android.com/google/play/billing/billing_best_practices.html
• LVL (Licensing Verification Library)
• https://developer.android.com/google/play/licensing/index.html
19

20. Summary
• Legitimate (especially paying) players prefer fair competition
• Hacking is not only a matter of revenue loss but affects entire life
cycle of the game
• User acquisition cost VS Hacking prevention cost
• Basic anti-hacking technical measures help somewhat
• Consider a robust professional app security solution
20

21. 21
Thank you !
James Ahn (james@inka.co.kr)
CEO/ INKA Entworks, AppSealing
https://www.appsealing.com