Abusing Mobile Games

i'd love to introduce my friend ming chao he's a lecturer at tufts university department of computer science uh tons of experience years and years i could go on but uh most recently at dekhan olas massachusetts attorney general uh design automation conference source boston speaker so excited to have your talk thank you thank you thank you thank you half of what you heard is not true thank you very much for coming where is everyone and uh i also can imagine that half of you guys already bought out of your mind already because i know a lot of you folks already on the mobile phone than the device so let me ask you this if you're on the phone right now who has uh

who has downloaded the game who is playing a game who has downloaded or played again i have a game on one of these devices anyone like who doesn't have a game on the phone wow wow i am shocked by uh the number of you who actually have a phone and don't have a game which seemed like 50 50 split here so i'm going to give you a little backstory on uh a little backstory so back in 2008 uh gary mcgraw and i worked on you know security of um massively multiplayer online games and uh back in january i got an email out of the blue from bbn paul bell he's a researcher over there and he asked

yeah i see that you teach at tufts and uh i was wondering if you can give a talk i see you do uh game development i also see you do security uh and then that i stepped back and said you know what i could do a talk on both and perhaps i've been doing a lot of work on mobile recently and perhaps is there a way an opportunity that i can mix the two together you know it's been six years that i've covered that i've talked about uh that talked about games so it's actually a great time to actually go back to it so the whole gist of my talk today is we're going to look at the underbelly yes

we're going to look at the underbelly of uh this whole realm of thing known as mobile games and the scope of what i will talk we'll be talking today is going to range from sinister i mean uh cheating to let's say to perhaps things that are a little more sinister i have to say that uh by all and large i'm extremely disturbed and disappointed by the amount of work that has been uh done in this area of mobile games in fact in terms of white papers and literature i've only found one paper that even addresses this issue of mobile games and security it is that appalling and knowing how big mobile games are and i

just want to give you some of the really not so surprising numbers so look it's not only big business and big money uh but it encompasses a good majority a significant amount of the downloads that are on itunes app store uh google play and even more so on amazon okay these are not the these numbers should not be surprising to you i mean there's always been chatter about the significance of of games and how it has spurred mobile and these numbers could not make it even more clear okay so these are also things that we also know about mobile devices uh look these devices are high value uh they can be easily lost and broken they

offer a lot of features that pcs don't have including gps accelerometer uh the compass there's also constraints as well too uh with your screen size and uh and input uh and i also have to mention a little bit about the security model i mean the security model of mobile devices like your iphone your android they're not the same as the pc so they're so the the days of you know having antivirus uh it doesn't really it just can't apply anymore because of court apps are all sandbox so mobile offers new features new constraints they also offer more opportunities for good and bad as well so that's what we know about mold i don't have to talk too much but here's

i think it's a really really really important slide again i mentioned i talked about i did some work in massively multiplayer online games and security uh back six years ago if you're familiar with anyone playing world of warcraft everquest final fantasy any of that stuff okay so we looked in the security of those games back six years ago so six years have passed so what has changed and there's been so much that has changed especially over the last uh two to three years uh and each and every one of these items uh play a very significant role uh to understand the underbellies of mobile games first and foremost what had really changed is the development cycle and uh

and the cost so years ago you know it would take millions and millions of dollars hollywood hollywood budget uh armada of developers to build a game so what is it now i mean what does it take to build a game now all right so a few you know years ago it would take an hour of developers millions of dollars what is it now how many developers do you really need to actually create a game one okay what's the cost very minimal uh it can it's actually could be if the cost of entry is extremely low of course if you're an apple and you have to pay a hundred dollars a year to be on the itunes app store

but uh they'll make a long story short every mother and their kid can now actually create a game because not only does the sdk nominally is zero uh in terms of zero dollars but there are also many game engines uh and frameworks out there coco os uh unity and unreal engine that you know are available for free where you know you can build a game for a mobile platform okay and some of these flat and some of these frameworks in game engine are drag and drop and so i mean you hear about the stories about kids you know making games on the itunes app store and actually make it onto the top 10 lists very easily well

it's not a surprise that it can be done because of course you know development cost and the cycle is very very accessible now goals are for players significant change can someone actually tell me like what has changed for players i mean what's the goal for players in a lot of these games within the last few years anyone want to take a stab yeah okay that you nailed right on the head leveling up and uh what else so you go from level one to level who can like 99 so leveling up what else

oh boy account sales you know virtual items virtual goods they also the other thing that i have on my i know what you were saying like to your point like along the lines uh also is the whole idea of achievements lots of games now the emphasis is on leveling love leveling up building virtual goods or trying to actually win a badge on honor okay an achievement of some sort such as you know create an airport in every city in the world or that you have killed uh ten or more enemies in one shot you get like a little nice little badge on on uh on game center or on the google play achievements okay those are just generally gold so you can

you know not amount too much but badges of honor what about the business model of game how have they been back in the good old days i remember spending 49.99 or 59.99 to buy a game what is it now free 99 cents cost to buy to get the air get the game on your device is very low but where does it get where the developer really make the money wait a minute whoa so if again if a publisher is pushing on a game that is zero or zero dollars or 99 how do they make money yeah you got ads that's number one what else this thing known as iap or in-app purchases if you want to buy

fake gold or the fake golden sword or more time okay or cards or whatever virtual item that's the real money maker you'll be shocked to hear i mean i was actually shocked to hear the companies like electronic arts saying that we actually now make more money for fifa and our sport game that we offer for free on the mobile devices than our console games that's telling you something right now all right you know add-on purchases advertisement in uh you name it that's where that's a lot of money now to be made but the reason but the game client nominal if not free all right distribution of game client and content how was that done

you downloaded from where itunes app store google play or where else some through if you're on android lan is wonderful the third-party market somewhere how many app stores are there for uh how many app stores are there for android too many to name in fact things got really bad when actually when uh flappy birds got taken off the store then where did you download the game who knows on amazon aws somewhere distribution of game client is very interesting it could be anywhere now okay dependency on network connection and third-party system i don't know of one mobile game actually for all the mobile game and i do play a lot you know most of these actually if not all depend on

the network connection on some sort and of course connection to third party system of some sort what do you think i mean by connection to a third-party system how many people have ever played those games and actually say do you want to post your high score to twitter or facebook okay that stuff yes okay or you know post your j your score at the game center or to open faint or to any other sister or to any other social network you know that are known to man or even linkedin as well all right so now we have we have games that actually absolutely need for or you know for some ungodly reason network connection and connection to third-party

system a lot of this is all this stuff here has changed within the last few years which have actually led to things perhaps not for the better okay so a typical architecture of mobile game you would just imagine you would just think it's just the app you would just think it's the client that is on the phone for example on my device i have a game which i will talk about a few times it's called pocket trains okay you just think it's just the app huh well it's not just the app pocket train anyone here play clash of clans no one play clash of clans here okay anyone play hearthstone beautiful game okay absolutely one of

the best absolutely arguably one of the best games i've played in years but behind the scene is a lot more than just a client there's also servers as well why serve what servers are for well let's see now uh for let's say keeping track of your game logic where you are keeping track of your points uh login authentication in fact if you play uh hearthstone the authentication system at battlenet battle.net which is also used for games like world of warcraft uh and uh diablo all right so it's also used for hearthstone uh let's say a passion as well because uh you know in terms of a mobile device you think you need to run faster there's

also cash servers involved apis that also include uh facebook twitter open faint uh game center for apple okay the operating system also plays a part of uh the mobile uh for mobile games as well such as uh memory isolation sandboxing and even things like oh let's say make sure ensuring that the readings of your accelerometer are correct okay and of course the mobile carriers uh you name it also plays a very important role for mobile games for delivering things like quality of service all right so it's much more than you think it's just the client itself behind the scenes it's an extra is really really large all right i mean k games like of course

hearthstone clash of clans that you might have seen i advertised on tv okay they embody you know typical architectures of mobile games it's not just the client anymore so this here now we'll talk about the why why of the underbelly of mobile games okay the why for their reasoning behind the underbelly ethics or lack thereof abuse okay lots of these games okay up terms of leveling up you mentioned leveling up all right how long does it actually take you to get from zero level z level one to level let's say 60 something a long time but you know something in psychology better known as instant gratification okay we all want to be the guy we all

the other of a girl who actually had want to be better than everyone else we want to demonstrate that we can achieve you know level 66 67 68 we want not only a high level because you know it's there's a status symbol that goes on if you actually have a really really high level or that you have all the powers in the world but you want to get there fast you want instant gratification you don't want to grind you want to want to wait for the next full meter okay now a lot of these games actually depend on time okay you make a move you actually make your transaction but then you have to wait for two hours for something to

happen i'm looking at you candy crush saga who here play know exactly what i'm talking about with candy crush saga so what's the idea with candy crush saga okay you are given i think five lives or five opportunities to actually finish the level if you waste all your opportunities you have to wait for five hours or so in order to get all your five life back okay or the great thing is you're gonna pay the money and then of course you can actually get your five lives right away that is why king is decided to go ipo because the people lacked their uh needs of insurance gratification and they were willing to [ __ ] up ninety dollars a week

to pay the gains okay you don't want to spend money on virtual goods yes games like you know pocket any of the nimble bit game which i actually love uh hearthstone if you you know you know the point is if you want to get ahead or if you want to really level up you really need that golden sword you nearly need the uh that new deck of cards so you have to spend money on the virtual good and actually do go up that way you don't want to lose okay if you're like if you're for example sports band like to play fifa you want to win the game okay you want to win the game so if

you're about to lose then that's not a good thing you want to do something about it you want the achievement you want to win and of course this last one uh if you uh actually if you have no business in playing game but guess what you know that people like to play games you like know that mobile devices are high value you just want to steal whatever data's on the phone okay so these are the reason behind all the underbellies obviously the accident uh the unor lack there uh lack there of ethical acts behind mobile game so now let's talk about the how of the underbelly how do you actually go through and do all the abuse

okay how do you actually get to uh how do you know if you're the bad guy or if you're the unethical player how do you get your way well it's actually easier than you think okay and we're going to go through each and every you give you an example behind file modification gauges power modification some of these things have been around for years okay but then some but however mobile makes it easier to perform then i take a look at file modification and tampering okay did anyone go to uh joey's uh talk yesterday on mobile forensics anyone it was a great talk because which was good was a lot of the stuff that he presented yesterday alludes well to what

i'm what i'm talking today most games store data in the clear gameplay data uh either in sql like file databases or if you're in ios land uh like uh like something called p-list okay so for example pocket trains pocket trains the whole premise of the game is uh you deliver goods to cities around the real cities around the world uh and it takes a certain number of time to actually get your train from your starting point to let's say the other city and once once your goods are delivered from city a to city b you get gold what can you do with that gold after uh when all the goods are delivered by the train you can buy

new ports uh you can buy new ports in cities uh to open up okay so on pocket trains there is a keyless file that actually has all your game data the number of gold that you have the trains the stations that you own even the crates all that good stuff in an xml format okay all you have to do is you know open up the app you know through a tool like i explore open up the plus file modify it and then of course all your changes open up the game you can see all your changes however one of the interesting things is is that nimble bit actually checks some of the data on the server side at times

and so what they have done is if there's actually discrepancies between the p-list and the p-list file and what's stored on what information that's sent on their server you actually can get banned okay so how you actually can get ahead get ahead inside a lot of these mobile game now well just just just open up just open up the data in plain text modify it and voila malware okay an android lan if you're not familiar with uh one of the things that you can do in android which is lovely if you can download an app you know because an app is just an apk file which is analogous to a jar file or a zip file you know

you know extract the data power you know put the stuff that you want in there repackage it and submit it to the google play store that's why there's so many different versions of a starbucks app uh back in the good old days or many version of bank of america and of course as a reason how many different versions of angry uh flappy birds are there too many to name okay so example number one there is an app on uh android called freedom that we that revealed all the applications including games that are quote unquote hackable or they and that have in app purchases so if you're the person who don't want to actually pay for in-app purchase

in-app purchases and games and apps download freedom okay and of course it will actually have a menu of things that you want to do like say instead of paying 99 cents for a gold the amount of dollars that you spend is zero our transaction happens somewhere through a middleman not in google play how it works well let's not get into that okay flappy bird was actually one of my favorite now if you don't know the back story already there was a developer who was so fed up with his own fame you know getting you know being the the top game on the app store on uh on ios and android so fed up with the

fame don't want to do anything with this anymore hold the game out and of course people were of course you know all up in arms so what the bad guys decided to do bring it back to life of course the version of the game that they brought back to life it smells like the original flappy birds it looked like the original flappy bird but at the end of the day it wasn't the original flappy bird because of course the permissions were a little bit different and uh some of the code base were a little bit different in certain and said some of the ads and some of the transactions were going through some of the sinister servers

okay now don't be shy who have played candy crush saga here raise your hand if you play candy crush saga have anyone here that have those of you who have played candy crush saga have you actually looked for ways to cheat so you can actually get more live instead of waiting for a few hours don't be shy admit if you eventually have done that you have now have you ever done a google search for candy crush saga cheeks before it is the biggest abyss that you might actually have ever seen if you actually have done a google search for candy crush saga cheat you will not believe the amount of the amount of spam that you will see and

that in fact every single entry in google looks exactly the same okay in fact if you like to go to some of the web pages from the link they all look the same as well yeah i wonder how that happened okay in fact even worse is that if games like flappy bird what we found out was the ads that were being displayed now a lot of these games of course which who said that a lot of the uh the business model of game depend on ants someone here said that okay now the problem is with a lot of these ads where they're from where i can tell you this one they're not from like coca-cola or you know the fortune 500

companies they are add to uh let's say things that you like we'll give you like okay and huh the misfortune or the other way yeah the other way around and you can tell even if you actually look at the ad it doesn't yeah i don't think this looks very uh this look this doesn't look very reputable to me and unfortunately it is very well known that the ad network is kind of there is very serious uh let's say uh well the word is cd i think that's a perfect word to describe it red light district okay which can potentially lead to other malicious websites and networks as well okay now i don't know i had a conversation

yesterday with uh i forgot who it was and we talked about how many people have been to hack kids or what used to be defcon kids they rebranded it to now hack kids anyone okay so two year three uh yeah it was 2011. that was defcon 19. so i remember they were we had def con kids because i was involved with it and uh put it this way there was a 10 year girl by the name of sifi that was a candle revealed a zero day in games you know what that mean be afraid be very afraid so what turns out to reveal something really really interesting a lot of these games such as candy crush

saga pocket trains pocket plane you name it you know the game where you actually if you uh you have to wait for a certain amount of time in order to make your next move well they depend on something called your actual time on your on your mobile device this is what you call what i call the time state attacks you know they're dependent on the actual time now there's a little typo here i just caught that so yeah whole idea is if you want to move ahead if you want to get your move back just incrementally change the internal clock on your on your on your on your device it's not that hard okay by the way this actually does work

in candy crush saga and pocket trains as well of course the interesting thing is if you actually uh let's say turn the clock forward and get all the trains all the good delivered to your city at point b uh it's nice but the point is but the problem is your fuel will be uh of a negative value which doesn't look good okay now this connection in latency now one of the beautiful things about playing fifa 14 is when i'm about to lose okay all i need to do is just disconnect myself from the wireless network and there you go it doesn't mean that loss doesn't count against me wonderful so usually so now my overall record

against all my opponents i'm undefeated it is wonderful okay it is the absolute most wonderful thing however for me it actually works out pretty well but also at times if you are actually let's say winning the game big okay it could also this could also work in against you as well so let's say you already have a probe you have a great game going but guess what happened then of course the whole game disconnect the score doesn't count the game actually doesn't count now the problem with mobile device where any of these mobile devices is really the whole idea of high latency and high disconnection okay detecting these are very hard the problem with mobile devices is you can

never ever you can never ever ever depend on networking uh reliable uh compared to like wi-fi on a desktop or a laptop because the problem is what happened if you move from here and of course when you go to the charles river it actually thinks uh or like in the middle of the desert then things get really interesting so this connection and latency is a huge play it is actually much harder to attack but it actually is a double-edged sword but still it is a very very good form of cheating in these games okay now the fake location fake sensor data this was still anyone use foursquare it's still a big area but it's still a

big area of uh let's say work and originally it could be worse because let's say you're here right now in the microsoft building back in see back in 2010 everything was great i mean you can spoof everything i mean they had their api that was wide open and of course you can tell some people that while you're in cambridge you're actually at the top of the eiffel tower okay fake sensor data all this stuff really easy to do especially if you have a rooted or jailbroken device okay now there were some there's some research that has been done in this whole idea of mobile games well guess what most of these systems currently lack like some

sort of a tpm trusted platform module so it's very hard to actually validate any of the sources well if any of the data was booted okay api abuse oh so uh game center how many people have ever uh how many people have an iphone ever looked at game center before now one of the beautiful things and still is a problem even though apple could have said they convinced it they said they fixed the problem is you see things like this if you play cut the rope this is some asterisk this is this has been it still is a problem for so many of these games is when you actually go to game center which actually record your high scores

and all your achievements and then of course when you compare to the rest of the world how you like how you compare to the rest of the world you have no shot because you get some clowns that actually did this now i think an apple win i don't even know i can't even read what number that is okay but i think that was the quote-unquote max int that uh apple implemented for scores for any game for the longest time so this has been a this is still a problem because there's still plenty of games out there uh that i see on game center that had just completely astonished scores okay so in translation what's the point

in leveling up because i'm never going to beat these guys anyway well it turns out it's actually much easier to do but it would really easy back to the back in the goods back in the days all right just shove a proxy in there okay so attack number one you know if you want to you know do exactly like rig high scores uh connect to the api uh intercept and modify the score dash value field in the xml it was just that easy okay and of course there's abyss right here known as privacy and information leakage you guys here i think it was a few months ago that there were stories about how the nsa loves so many of these games

such as like angry bird candy crush saga okay uh and why you know the nsa love to have all the data well it's actually pretty well it's well it becomes ridiculous this just becomes it just becomes too easy uh why i mean why does these all these games leak out so much information well let's see uh there's still too many apps that actually transmit data and declare using http uh example quiz up anyone that played quizzer they fixed the problem recently and of course permissions android is one uh in ios for as well now uh a lot of these apps just use way too many permissions or the user just grant too many permissions to the apps

uh angry birds are just another one there's no good reason why angry birds should be reading your sms messages and unfortunately uh you know that's that's been the case with a lot of the game developers they get way too many permissions and of course you have too many permissions you get too much you know you have the opportunity to leak data really really high uh even better two years ago um there were so many games and apps for that matter that called uh this api function called a b address book copy array of all people and send all the data back to servers uh and i know that my friends of beer code built an app built an application of

audios that just scans all the apps that were out there that actually made this ape that had this api call you just do strings on all the binaries of the apps and they came up with many many apps including angry birds okay if you were here at joey's talk yesterday uh on mobile forensics uh those uh games and apps uh you said you said that i remember correctly games are the worst especially those women that post your high score to facebook or twitter most of these games uh store the credentials store facebook credentials uh twitter credentials uh in the clip plain text and sql like databases okay it just becomes it just becomes way too easy

so what how do you fix the problem so let's see what's out there uh there's been more there's more mechanism for the pc end of things because of course the security model is a little different uh of course there are things called banning their penalties uh captures you've got to make sure that you're human pcs actually because you know you know data is not sandbox uh they have things like anti-cheat uh warden for world of warcraft read all the memory on your machine that can't happen on mobile that's currently well unless it's a rude device can't happen uh and if you actually have location based games there is dead reckoning to predict the location of the players

all right there's some some proposed solutions uh such as okay about the disconnection problem in terms of latency why is there a way to verify wi-fi position by sending you know the ssid information signal strength i mean look we already have that i mean the thing is ssid signal strength all that stuff it's been recorded already by google um what about if you're doing anything that's uh location based uh well you can do a really q a i mean there's apis like google places for example if you're saying that uh you're really at the eiffel tower well you can actually let's say oh let's say take a picture of like you're really at the eiffel

tower you know submit that and uh of course now with like reverse image search that can be done really easily att has actually an api where that you can display a network statistics and information uh you know about devices and uh there's even you know facial recognition by way of camera to actually prove that you're actually who you are when you actually make a transaction like bang to buying that fake sword or that batch of gold or that pack of cards uh and of course one thing i would like to add here you know that i also haven't seen anyone take advantage of if you're a lot of these new devices a lot of these new phones actually have biometric

scanners like touch id now that can be used for transaction security i mean there's some good news i mean despite the fact it's not necessarily all bad but you know compared to the desktop uh and the pc environment uh there's a lot of uh game attacks that you know can't be done or really really hard to do uh for example third-party plug-ins like flash and quicktime um i know that games like second life back in the good old days were vulnerable because you know depending on quick time so you had a vulnerability in quick time then the game was vulnerable as well uh user generated content is very very very very hard uh i know that you know a

lot of games that have been pulled a classic game like doom and wolfenstein you know modding was a big thing but uh because of sandbox environment mobile devices it's really hard to actually upload view to generated content so thank good like those like those good old days of new patches i mean that have gone away a little bit scripting engine bonding you know really really difficult without like rooting or something it still can be done i think people have done stuff like aimbots for for like uh shooter games on over to white but it requires rooting devices but all in all in general some stuff from pc cheating game cheating that gone away so i guess

why what's the whole point of this topic i mean what's the value well the value is who loses well everyone loses the players uh you know the loss of fun uh you know the lasso purchase of virtual goods that's never a good thing and potentially lots of personal data and if uh if you're on a mobile network then chances are you could see you know spiking your usage and perhaps even you know even credit card bills as well too like for example the um the malicious version of flappy bird which actually we can read and send sms anyone here still pay by the sense for uh text messages there's still some people out there okay

uh game developers uh game developers have a lot to lose because they have a lot of money to make so if you're actually spending zero dollars on what should be 99 cents for a pack of cards well guess what they lose revenue because that's where they actually make uh you know that's where they actually make their bread and butter okay uh you got bad data and of course the cost of computation could possibly increase as well too uh it will also affect uh platforms you know especially when uh especially when the addressable copy array of all people was out it was a real black guy for apple and so they had to it was one of

those few incidents where apple decided okay we gotta do something right away because we're just getting negative negative publicity for this so i guess what am i trying to i guess let's take a look back so the grand scheme of things you know it really is an underbelly for mobile games uh it's not fun out there in fact there's many opportunities uh on what could possibly go wrong i think what i'm really disturbed is you know again as i said earlier you know we have this many people downloading games playing games on a mobile device but yet i've only seen one literature out there on on this whole on this whole topic uh it's just really really troublesome to

that to see i mean this has been this is actually a fabulous arena mobile game can determine what could possibly go wrong because of course the numbers show hey look like you know 43 40 40 60 of all downloads for apple you know all games you know so why isn't people doing more work in this area i don't know it's really really disturbing to actually see and and the effect is right now you know no one wins players lose uh everyone's reputation uh is that is that at stake one thing that is very sad that's for sure uh with mobile games and mmorpgs from a few years ago there's also a lot of money at stake here as well

so why are people not going down deep deeper into into games this is not a joke okay people think this is all fun and game but it's it's a great microcosm for everything that you know for everything if you're doing mobile security it's the business place to be why isn't people doing more work in it i don't know i really don't know and that's all i have uh thank you for being here and i'm gonna

take questions anyone yeah maybe i missed it but what was that one paper called and what was like the general uh yeah the white paper was called chord providing security for mobile games and this was actually published in the acm in 2013. this is the only paper i've actually seen into mobile games and i'm gonna post these slides uh i know that i'm gonna certainly will put the link on my uh on twitter can you believe that there's only one page there's actually only one one white paper academic paper done in this area yeah um it wasn't on mobile games but i think it was gary mcgraw and greg hogwarts who wrote a whole book on uh gaming and

security yeah and that was for like you know pc games and stuff like that five years ago eight years ago and so i actually have a copy of that well because i i work with gary and some of the things some of the things in that book still apply uh for example i can tell you exactly what's still applied of these topics one thing i did not mention in terms of abuse mechanism and it's package snipping but that's that's well known i mean i don't need to get into that one because you know that's that's been well known for years uh file modification tampering uh however they didn't speak too much about mal in that book i mean i guess what has

changed certainly malware has been awful now um the api abuse have gotten even worse because of all these games now i have to depend on twitter facebook or whatever social network is out there uh they did mention time state attack that's still a problem that's still a problem in mobile uh location data not it wasn't big at all uh back in the go uh back six years ago uh and uh latency has uh always been a problem but it was uh i did you you know that book there were few things that could then carried over but now mobile yeah things just well i guess things have changed because a lot of things have changed since since

since the writing of that book and i didn't tell gary you know i'll be continuing to work i don't know what we're gonna do anything else

no okay see you again later