January 9, 2017
Mobile games like Pokémon Go have millions of users’ faces glued to smartphone screens, so it may be little surprise that the mobile game industry pulled in over $40 billion globally in 2016. Protecting these games against hackers has been challenging, and a recent study by a group of Carnegie Mellon researchers shows how much work needs to be done.
“We were able to attack 77 out of 100 games and believe at least five more are vulnerable,” says Yuan Tian, a CyLab researcher and Ph.D. student in Carnegie Mellon’s Department of Electrical and Computer Engineering (ECE). “This is worrisome because mobile games are increasingly including abilities to purchase in-game objects with real currency.”
Tian presented the study at last month’s ACM Computer Security Applications Conference in Los Angeles.
The team of researchers, mostly based at Carnegie Mellon University’s Silicon Valley campus, attempted to hack 100 of the most popular mobile games on Google Play: Angry Birds, Candy Crush Saga, and others. Less than a third of the games were secure enough to hold up to the team’s hacking attempts.
“We were able to recover an encryption key from Angry Birds, which allowed us to modify all the stored information like scores and coins,” Tian says. “We were also able to hack the Dragon City game to get coins and weapons without purchasing them.”
The process of hacking into each game for the study, Tian explains, mimicked that of amateur and professional hackers. The team started with simple techniques like memory editors—tools that allow users to directly edit numeric values in a game’s memory such as number of lives, scores, or coins—and then transitioned to more advanced techniques, using various proxies to measure and analyze game traffic, decompile the gaming app, and analyze the protection logic.
The researchers notified each of the affected game developers of the vulnerabilities to help them increase security in the future.
“We hack because we care about security and we want to protect people from potential threats by identifying problems systematically,” Tian says. “Our hope is that we can educate developers to design and implement secure systems and users to avoid being attacked.”
Other authors on the study include recent ECE Ph.D. recipient Eric Chen, recent ECE master’s recipient Xiaojun Ma, ECE Ph.D. student Xiao Wang, ECE professor Patrick Tague, and Microsoft researcher Shuo Chen.