How to secure data from hacking?

cocos2d-x
22

It’s not safe by default. You could implement a file hook, which encrypts the complete file content or, as @milos1290 was suggesting, encrypt the values.
You don’t need to even use SQLite. The easiest way is to store your save game data in a binary blob and apply your hashing methods.

Encryption does not prohibit your data much from hacking. It only makes editing values harder. If you safe your values as binary data, an attacker could change your values and hope they will make sense. The data would just create random values or even generate overflows.

What you should look into is hashing your content/values with some cryptographic hash function like the sha-2 family. For your purpose xxhash would even suffice, but keep in mind, that it’s non-cryptographic.
Hashing your content will prohibit tempering with your data. You need to combine two or more hashes to generate a secure hash. E.g. hash of some system file + hash of your content/value. Keep this method secure as possible!
Hashing of the value/content alone won’t make it secure, as the attacker could guess easily, which content you hashed.

The problem with encryption is, that you have to store your key in some place, even in memory. As long as you can’t store it in a secure place like in-hardware(which could also be cracked) and your client is not safe, an attacker can get your key and it will render your encryption useless. If an attacker is able to get your encryption keys, it’s also very probable, that he can Reverse Engineer your hashing methods.
If your client is broken(which is the case with consoles, PC, mobiles,…), it’s game over. The only thing you can do is make it harder for an attacker, but not prevent it.

This would not prevent an attacker from hacking, as he can still manipulate the data sent to the server, where it will get stored.

I agree with you, that such users would just be the minority, but don’t forget, that you can also run Android in a VM on your PC and there are also software stacks for running your mobile games on the PC.

Just apply some hashing. You could also apply encryption to make it harder to edit your content.

You can’t, unless you have a safe place to store it, which does not exist for your target devices. The time you safe the key on a broken client, you can’t do something against it. It’s just a weighing up of what’s in there for an attacker to crack your game.

It will create random data with some possibility of creating a valid number or an overflow, which will crash your game.

If you really want to prevent cheating, you would need to implement and analyse game play statistics like the FairFight system is doing:

It would only learn him to apply “rinse and repeat”. He would just need a backup of his save-game and he can just repeat it.
If an attacker is eager to hack, I guess he maybe would not care about resetting it’s stats.
Obviously some time-intensive hobby :smile:

23

As @iQD said, there is no easy way to be safe. Just making it harder to hack it will be enough, you don’t want 12 years old just to open up UserDefaults and change values. In most situations if user prefs are encrypted hackers will use a cheat engine or something else to change in memory values. This is how most people hacks, you can see it in leaderboards with abnormally high scores :wink:

After encrypting prefs, concentrate on in memory values and protect them, since this will be the easiest way to hack your game if prefs are secured.

EDIT:

For example using xxtea even if hacker knows the key, it will be really hard for him to decode it. Since he needs to find xxtea algorithm used to encode your data in the first place. So basically all online solutions will fail.

Its not just minority, hackers hack the app and back it up with saved data included. So you just need to download and install app which will include saved data from person that hacked it. And you dont need rooted device for installing app.

24

Exactly! This is why hashing your data is more important than encrypting it.

25

How to protect in memory values?

This story has no end… :smile:

26

By using ASLR and homomorphic encryption :wink:

The problem is, that the OS has to implement ASLR and FHE is not usable at this time.

Homomorphic encryption is not quite ready for everyday use. The methods have been shown to work in principle, but they still impose a heavy penalty of inefficiency.

http://www.americanscientist.org/issues/pub/2012/5/alice-and-bob-in-cipherspace

1 Like
27

Yeah :slight_smile:

Well, there are a lot of ways to protect it, easiest one is to add/subtract arbitrary value from real one, and keep it in memory, when you need it you will just append that small step to get the real value. This is usually enough for most of people to give up, but of course someone with a little more experience will hack it in no time. You can go even further and have a copy of your protected value also added/subtracted as a check to first one.

example if user has 1000 coins:

float coins = 995.5;
float step = 4.5;

getCoins() {
    return coins + step;
}

So if hacker searches for 1000 in memory, he wont find it, since the real value is 995.5. Of course there are a lot of other ways to hack it.

28

This is not really protection, just obfuscation. You can’t protect values, which are stored in memory.

He would not search for the value, but for the API entries, function names, strings or other stuff.
The obfuscation is basically too trivial to give a benefit.

You can only protect your code/data by handcrafting some tricks/protection in assembler.

But as you said: it’s enough for your daily cracker/cheater kiddy; against skilled people, it does not stand a chance.

29

Yeah, but don’t forget, this will be on a mobile device. There are no good tools to do that, except simple memory search apps.

30

There is only one tool needed. Mobile or not, it still boils down to CPU architecture and data layout.

But there is the one best tool, which an attacker can do everything with it.

The question is, what has a mobile game/app to offer, that is worth cracking? Leaderboards? Coins? Banking transactions? Identity theft?

31

Yeah, that is what i’m saying. I mean in reality in 99% your game will be hacked by 12 years old. So just a simple protection like obfuscation will be enough to prevent it.

32

On this I totally agree with you. We are on the same page, but is it worth it?

Such stuff only clutters up your code, makes it unreadable and harder to understand for the next code maintainer in line.
Implementing server checks for data reasonability is the best solution.

  1. Cracker kiddy takes action

  2. Server checks data

  3. Schadenfreude about the kiddy wasting time and still playing your
    game/generating you revenue

The big advantage is, that you don’t have to implement any crappy, bothersome anti-kiddy stuff in the client.

33

Yeah, but what if your game is offline ? :slight_smile:

34

Kiddies cheat because of leaderboards and such stuff. The game scores have to be uploaded, so the game has to be online. There is no problem with that.

What would the purpose of modifying an offline game be? Cheating won’t harm anyone, besides the attacker itself.

2 Likes