Mobile, Embedded, & Wireless Security

Cheating and Anti-Cheating in Mobile Games


The mobile game industry has been growing significantly. Mobile games are increasingly including abilities to purchase in-game objects with real currency, share achievements and updates with friends, and post high scores to global leader boards. Because of these abilities, there are new financial and social incentives for gamers to cheat. Developers and researchers have tried to apply various protection mechanisms in games, but the degrees of effectiveness vary considerably. There has not been a real-world study in this problem space. In this work, we investigate different protections in real-world applications, and we compare these approaches from different aspects such as security and deployment efforts systematically.

We first investigate 100 popular mobile games in order to understand how developers adopt these protection mechanisms, including those for protecting memory, local files, and network traffic, for obfuscating source code, and for maintaining the integrity of the game state. We have confirmed that 77 out of the 100 games can be successfully attacked, and believe that at least five more are vulnerable. Based on this first-hand experience, we propose an evaluation framework for the security of mobile game defenses. We define a five-level hierarchy to rate the protection mechanisms to help developers understand how well their games are protected relative to others in the market. Additionally, our study points out the trade-offs between security and network limitations for mobile games and suggests potential research directions. We also give a set of actionable recommendations about how developers should consider the cost and effectiveness when adopting these protection mechanisms.

Unprotected client-server interactions enable cheating                 Various defense strategies evaluated for runtimecost and dev effort

As shown in the example client-server interaction above, a game can be vulnerable if the developer didn't completely implement the defense mechanism. The example shown is from a popular trivia game that implements partial client-server sync yet remains vulnerable to cheating. Malicious gamers can modify network traffic to get in-app coins and equipment while bypassing the in-app purchase mechanism. The second figure above shows a graphic comparison of the costs associated with different types of anti-cheating mechanisms, with client-server sync being the most secure but most costly approach.

Media Coverage


Related Publications

  • Yuan Tian, Shuo Chen, Eric Chen, Xiaojun Ma, Xiao Wang, and Patrick Tague, "Swords and Shields - A Study of Mobile Game Hacks and Existing Defenses", 2016 Annual Computer Security Applications Conference (ACSAC), Dec 2016. [pdf,bib]