Popularity of "Pokemon Go" Amplifies Losses! Two Years in Developed, Hacked Within 72 Hours of Release

2016/07/20

The Korean mobile advertising company IGAWorks published a report showing that 77.7% of mobile games spend 90 days in the best-sellers chart, or just 3 short months (Note 1). According to the American IT security company Proofpoint, the recent blockbuster game Pokemon Go was being installed with a lot of malicious software within 72 hours of released. 

Pokemon Go took a great deal of money and resources to develop over two years. Being hacked within three days of going live means not only the loss of many customers but also a bad reputation for compromising user details. The game had barely even made it into the rankings before it started hemorrhaging the company's reputation and profits. 

Hackers re-packaged Pokemon Go so that users download infected software. The well-known DroidJack remote administration tool was added by hackers so that once the user downloads a hacked version of Pokemon Go, the hacker gain remote control over the device and access to all of the user's files on the Google Drive cloud storage service - even deleted ones; bring up your search history including navigation logs on the map; view all of the photos you have backed up to Google Photos including intimate photos; see or modify other kinds of data; and access other services that use the Google account for login. By changing the GPS settings so that the game can be played in regions where it is not yet available, this may overload the server, prevent legitimate players from logging on and lead to a flood of complaints. 


To avoid the situation where you develop a smash hit game only to run into financial losses and loss of player confidence, apps should take the following protective measures against hacker attack before listing: 

 

1. Secure the source code  

Can the source code be decompiled? Hackers can decipher the code to expose vulnerabilities for attack. Developers generally use obfuscated code but this only increases the difficulty of reverse-engineering and does not actually prevent it. Obfuscated code therefore does not guarantee the security of the source code in situations requiring a high level of security. Excessive obfuscation can also make the code impossible for the developer to debug. 

The best way is to hollow out the program code so that the raw source code cannot be viewed nor any code added or removed. This does not make it unrecognizable to the developer either. 

For game engines such as Unity3D and Cocos2D that game developers frequently use, the Dll and So files should be encrypted so that the game code cannot be decompiled. 

 

2. Blocking debuggers to prevent cheats  

 There are a large number of game editors, virus, and Trojan apps on the Android platform. These apps cause economic loss to users and developers by stealing user details and tampering with the memory. Monitoring and security technologies must therefore be used to prevent the injection of malicious code into apps and make debuggers, game cheats, ptrace, and other tools completely useless. 

 

3. Tamper-proofing the app

The most popular mobile games tend to have all kinds of modified, cracked, or unlocked APK files on the Internet. Hackers have generally modified these files and re-packaged them into APK files. The average user is usually unable to determine whether they contain malicious code or not. Once downloaded and used, they may expose the user's mobile phone to malicious attack. To prevent apps from being tampered with and re-packaged into pirated software for distribution, developers should use an integrity verification mechanism to ensure that hackers cannot tamper with the program code or resource files. This will help protect the company against loss of reputation and profits. 

 

4. Certificate pinning

When the app connects to the server over a HTTPS encrypted connection, it should check the server certificate and use STRICT_HOSTNAME_VERIFIER to verify the host name to ensure that the connected server is a legitimate target server. This prevents the app from connecting to a fake servers set up by hackers to steal sensitive data such as account and password upon connection. 


Digicentre provides the most comprehensive mobile game app protection solution. Apart from protecting the source code, we also block commonly game cheats and third-party programs. An integrity verification mechanism also blocks re-packaging to ensure that all players can enjoy a fair gaming environment. This in turns extends the game's service life, protecting the interests of the developer and publisher.