Swords and shields: a study of mobile game hacks and existing defenses

Abstract

The mobile game industry has been growing significantly. Mobile games are increasingly including abilities to purchase in-game objects with real currency, share achievements and updates with friends, and post high scores to global leader boards. Because of these abilities, there are new financial and social incentives for gamers to cheat. Developers and researchers have tried to apply various protection mechanisms in games, but the degrees of effectiveness vary considerably. There has not been a real-world study in this problem space. In this work, we investigate different protections in real-world applications, and we compare these approaches from different aspects such as security and deployment efforts systematically. We first investigate 100 popular mobile games in order to understand how developers adopt these protection mechanisms, including those for protecting memory, local files, and network traffic, for obfuscating source code, and for maintaining the integrity of the game state. We have confirmed that 77 out of the 100 games can be successfully attacked, and believe that at least five more are vulnerable. Based on this first-hand experience, we propose an evaluation framework for the security of mobile game defenses. We define a five-level hierarchy to rate the protection mechanisms to help developers understand how well their games are protected relative to others in the market. Additionally, our study points out the trade-offs between security and network limitations for mobile games and suggests potential research directions. We also give a set of actionable recommendations about how developers should consider the cost and effectiveness when adopting these protection mechanisms.