11

Recently my game has been hacked and one user submitted an impossible score to the server. The score was submitted with a verified checksum, and correct data.

I'm convinced that the user must have reverse engineered my APK file to find the POST request.

Now I wonder what would be a good way to prevent this from happening again and I thought about verifying the SHA1 signature of the app. Maybe this way I can make sure that the app is signed by me, and is not a reverse engineered and changed version of the app.

Would this be possible? Or would there be a better solution to solve this?

I am using LibGDX by the way.

Z0q
  • 1,689
  • 3
  • 28
  • 57

5 Answers5

4

First of all, you really have to obfuscate your code. You can find more information about ProGuard and code obfuscation here.

Second of all, you can use GoogleAuthUtil available in Google Play Services, which is available for devices running Android 2.2 or higher.

GoogleAuthUtil does exactly what you need:

GoogleAuthUtil server communication

Your client server calls go to Google via a HTTPS request, Google checks whether or not the call is made by an app signed with your release certificate, and then it sends the request to your server.

You can find official tutorials about how to implement this here and official documentation here.

Cheers!

DDsix
  • 1,966
  • 1
  • 18
  • 23
3

1) Use code obfuscation for ex. Proguard. This kind of tools available not only for Java. But be careful with that - obfuscated code may work slowly or contain additional bugs.

2) Add App Licencing check (this will check app signature with Google Play):

Watch this video with attention: https://www.youtube.com/watch?v=TnSNCXR9fbY As I remember he mention technics used at runtime to verify your app not hacked or modified (zip check, etc).

3) Make sure your app/server use secure connection (SSL/TLS) only with MODERN cipher suites. This will mitigate downgrade attacks.

You can use this generator to build config with MODERN cipher suites for your server: https://mozilla.github.io/server-side-tls/ssl-config-generator/

Also you can use certificate pining on client side - this will mitigate authority attack.

Do not use plain HTTP connection.

4) Use some kind of request signing (like Amazon AWS does) You can get core idea from their docs. http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

Also this article should be helpful.

5) Prohibit usage of your app on ROOT'ed devices by adding run time check. Because of on rooted phone it's easier to hack or analyze your app.

6) You can decrease fraud by adding some ban system to your online game - if somebody hack your app and send wrong data to your server => add this user to ban list on server side (by IP or by user ID, etc). Probably add users to this list temporary (ex 24 hr, 7 days)

7) + if you are using Json/XML as data formats for network layer try to use binary format like Protocol Buffers. Binary serialization formats more efficient and hard to reverse engineer.

dasar
  • 5,321
  • 4
  • 24
  • 36
1

Verifying the integrity of your app won't be enough, since the request can be easily faked outside the app or modified in memory on the fly, using a rooted android environment. Even more, you cannot totally avoid it.

This is a problem shared by all applications running in a machine out of your control (all client applications). You can't never trust the data coming from them.

As I can see it, you have several choices:

  1. Obfuscate the code and make the app more difficult to be reverse-engineered. Notice that this do not solve the problem, but minimizes it.
  2. Move processing to the server. The more game-play is controlled by the server, the less vulnerable you app would be to this malicious behavior.
  3. Automatically detect impossible scores and close their accounts

Cheers,

idelvall
  • 1,536
  • 15
  • 25
  • 1
    I don't believe that it can easily be faked. One needs to register their SHA1 key in order to use Google Play Games. It seems that they can see whether or not the app is the original one or a pirated version. – Z0q Feb 25 '16 at 16:28
  • I don't mean by other application in the phone. I mean by other HTTP client application faking the original request, and knowing the source code and sniffing the HTTP conversation of the original app can be done. I edit my response to make reference to a rooted android – idelvall Feb 25 '16 at 17:00
1

If you want to verify the signature of your app without the possibility that this is cracked too, you would have to upload the whole apk and make the check on a server. This is not a practicable solution.

The only secure android app is a pure terminal app, which means you'd have to do all computing on a server. Most of the time this won't be possible because of latency.

That's why we Android developers have to live with this: an app is not 100% secure.

But you can get close to it.

You might want to read Security with HTTPS and SSL guide for securing your communication.

Also you'll want to ensure your client is hard to crack: android app piracy prevention and Combating Android App Piracy: Xposed

In your case you'll also want to implement server-side request validation: If you have a game with a server side, users probably have an account. If a user sends a clearly impossible score, automatically disregard the request and ban the user (and his ip). (But also have in mind that this should never happen to a valid request, otherwise users might get angry and stop playing.)

Community
  • 1
  • 1
F43nd1r
  • 7,690
  • 3
  • 24
  • 62
1

You can obfuscate your code better and use some very obfuscated secret to sign your requests. With that you can increase security.

But if all your game run in client it can't be completely secure. Because it doesn't matter what you use to sign, if you do it in client it means you have the secret or private key in client and then it can be hacked.

To make it more secure you need to involve some game logic in server and then control in that logic that the user isn't cheating.

lujop
  • 13,504
  • 9
  • 62
  • 95