Skip to main content

Why mobile game developers need to say “Game Over” to the man-in-the-middle

(Image credit: Image source: Shutterstock/BeeBright)

With a whopping 2.2 billion smartphone users worldwide, it is no surprise that mobile games make up 42 percent of the gaming market equating to $46.1 billion in revenue. What is surprising is that most of the mobile games, including those most popular among children and teens, are highly vulnerable to a breach, often inviting hackers into children's lives. While there is heightened awareness from consumers of the dangers associated with mobile hacks and breaches, the fact that hackers have access to personal information is particularly disturbing when it involves applications most frequently used by children.

The threat of hackers does provide incentive for consumers to take extra precautions, but are these safety measures enough to keep them safe? To protect consumers and continue to deliver fun and safe products, it’s imperative for gaming companies to provide users with secure applications. To do this, the creators of these entertainment apps need to implement security practices during development.

Recently, Checkmarx’s (opens in new tab)Security Research Team initiated an investigation to raise awareness of the substantial threat hidden inside vulnerable mobile games and related apps that returned unnerving results. Checkmarx was able to identify that the Android versions of three highly popular mobile applications – Roblox, Lucky Patcher and SimCity BuildIt –often used by children and teens, were easily hacked via a man-in-the-middle attack, and personal data, including age, name and location, could be stolen. Through identification and disclosure, Checkmarx hopes to bring attention to these types of attacks and prevent them in the future.

Enter the man-in-the-middle

Man-in-the-middle (MiTM) is a vulnerability mentioned on both the OWASP Top 10 (opens in new tab) And SANS 25 (opens in new tab) industry lists. A MiTM attack occurs when a malicious attacker hijacks the sites and applications during the flow of communication data between client and server, by tricking clients into believing he is the server and tricking the server into believing he is the client. Through this method, the attacker can access and manipulate information that travels between the server and the client. Essentially, MiTM means that someone is eavesdropping on your communication and has the ability to read and modify all of a mobile phone's inbound and outbound internet communication. Furthermore, if attackers may plant malicious downloads that have the ability to control the victim’s mobile phone and easily access all of their data – including credit card details and personal photos.

These attacks are effective because of the nature of the HTTP protocol which is not encrypted making it possible to view the data in transfer. While MiTM attacks can target many different types of organisations, hackers often target users whose data can be used for commercial profit. By gaining access to the communication flow of sensitive data, it’s possible to change an amount of money for a transaction inside the application context.

Stop hacks in their tracks

To identify the vulnerabilities in Roblox, Lucky Patcher and SimCity, the Checkmarx research team employed techniques commonly used by hackers. By utilising the MiTM method on all three of these applications, the team acted as a middleman between game and player. Through this practice, the team could read and alter all in-transit data and was also able to plant an in-app malicious download that, if downloaded, could access users’ information.

Knowing that children are the users most likely impacted by these vulnerabilities, it is critical for gaming companies to take steps to best mitigate risk. While Checkmarx went through the responsible disclosure process, contacting the three gaming companies involved to alert them of the user risks, to date, only Roblox has fully amended their software to address these vulnerabilities. Electronic Arts responded on behalf of SimCity BuildIt to inform us they are the process of remediation and Lucky Patcher is still under threat of a malicious attack.

By definition, MiTM attacks infer that children, or adults using the website or application, would not typically be aware that the platform is under siege, and would continue communication as usual. Therefore, the attacker has access to sensitive and private data based on the sites and applications individual consumers are using on their mobile device. Since MiTM attacks are extremely difficult to detect, prevention is truly the best solution. It’s up to gaming companies and their development and security teams to incorporate security features into the software builds for their products.

The gamer can’t back down 

In today’s world, data is collected and stored by most applications, which can be extremely valuable for hackers who could use the information for future attacks. Moreover, in many cases gaming apps also require payments for specific functionality and may expose payment data when not handling code securely and correctly. While mobile gaming companies should be developing applications with security measures top-of-mind, consumers can’t always rely on the games they play to be completely secure. To avoid putting their information at risk, mobile gamers should take the following precautions to – hopefully – avoid the Man-in-the-Middle:

-          If possible, avoid free public Wi-Fi hotspots; hotspots are not considered secure and may be monitored by attackers.

-          Install the latest version of your operating system. Updates often contain important security upgrades.

-          Always download applications from the official application store and disable the “unknown sources” option on Android devices. Lucky Patcher for example, cannot be downloaded from the Google Play store.

-          Regulate the information you provide online. Know whether the site you are using is secured (at least communication should be https based) and disable autocomplete forms requesting sensitive data.

-          Use HTTPS instead of regular HTTP when possible (notice the “s” after HTTP – “s” stands for secure.)

In mitigating the risk of a MiTM attack, gaming companies need to embrace secure development practices – this enables organisations to detect and fix bugs before a game is deployed and purchased by gamers. Vulnerability detection can be achieved in the earliest stage of applications development: the creation of source code. With static code analysis, the source code can be scanned for potential security vulnerabilities, significantly reducing the risks of attacks later on in deployment. In tandem, consumers need to be vigilant and proactive to ensure the security of their mobile devices.  At the end of the day, it takes multiple layers of due diligence from game developers, security practitioners and consumers to truly avoid the Man-in-the-Middle.

Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx (opens in new tab)
Image source: Shutterstock/BeeBright