Mobile games are often broken into so users can access premium content, paid features and obtain in-game currency. This is done by tampering with memory, bypassing payments and touch screens, and downloading paid apps for free — and can be done on both jailbroken or non-jailbroken devices.
In a recent webinar on SD Times, Jan Seredynski, mobile security researcher and pentester at the mobile application protection company Guardsquare, walked attendees through these game cheats and provided four simple tips to prevent them. According to Seredynski, these lessons learned from mobile game cheats can be applied to all aspects of mobile application security from healthcare, e-commerce, banking, and more.
Seredynski’s four simple tips are:
- Environment integrity: Detecting a compromised environment, for example, a jailbroken/rooted device, emulated app or system, or the presence of a debugger.
- Application integrity: Verifying that the user is running the current version of the application, that application resources haven’t been changed, and that the application has been installed from a legitimate source
- Code integrity: Verifying if the execution code is identical to the developer code. For instance, ensuring that machine code or Java instructions haven’t been changed.
- Obfuscation: Making it more challenging for attackers to understand your code by renaming variables, methods, or classes; encrypting sensitive strings; complication control-flow; and encryption assets.
Each of these protection components matters, Seredynski explained. If you don’t have environmental integrity, a hacker can bypass the application integrity; if you don’t have application integrity, a hacker can imitate the compromised environment; without code integrity, a hacker can overwrite protection code; and obfuscation, a hacker can easily find relevant functions.
Some other tips Seredynski suggested are to regularly update your protection code so that hackers don’t have enough time to understand those protections, make sure protections work on all operating systems and versions, and check for false positives.
To learn more and see Seredynski’s do-it-yourself steps on how you can protect your application through each of the four components, watch the entire webinar here.