With a whopping 2.2 billion gamers and $46.1B in revenue for mobile games (42% of the market), chances are you and\or your loved ones play mobile games. Children are no exception, according to a Nielsen research piece from earlier this year, most children get their own mobile phone between ages 10 – 12. It seems that we have grown accustomed to the dangers of mobile hacks and breaches, but when it comes to children’s safety, do we raise the flag often enough? Many of the mobile games that are most popular among children and teens are highly vulnerable, almost inviting hackers into our, and our children’s lives.
To raise awareness of the substantial threat in mobile games, Checkmarx’s Security Research Team initiated security research in our lab that returned unnerving results. The Android version of three highly popular mobile games, often played by children and teens, were easily hacked and personal data was easily stolen.
The research team went through the responsible disclosure process: all three gaming companies were contacted and alerted of their vulnerabilities along with the risks they put their users in. They were all given the standard 90 days notice to patch-up the vulnerabilities that were found by our team.
Only one of the three companies was quick to reply and fix the problem – kudos to Roblox. As for the other two companies, as of October 2017:
Electronic Arts, with their highly popular mobile game “SimCity BuildIt” replied that they are in the process of remediation. Released in 2015, SimCity Buildit enjoyed 64 million downloads in its first year alone.
The Lucky Patcher app is commonly used to remove Google Play license checks for gaining in-app points and rewards. Due to the nature of the application, it’s not available on the Google Play Store but still enjoys millions of downloads by teens and children alike who use it to advance quickly in their favorite mobile games. Lucky Patcher never reacted to our contact attempts and the application is still vulnerable.
By using a classic Man in the Middle (MiTM) method on all three of these applications, our team was able to act as a middleman between game and player, allowing them to read and even change all in-transit data. Furthermore, the team was able to plant an in-app malicious download that, if installed, allows an attacker to control the victim’s mobile phone and easily access all of their data.
MiTM attacks are hard to detect. A child or teen under attack wouldn’t know that rather than communicating with the game, they are actually communicating with a middleman. Meaning that a MiTM attacker gets easy access to your child’s personal data (age, name, location, etc.). Furthermore, these attacks can result in the attacker getting access to any sensitive data flowing through your mobile device – your credit card details and personal photos are no exception.
Before you snatch the smartphone out of your child’s hands, here are a few safety measures that can be taken:
- Avoid free public WiFi hotspots whenever possible, they are easier to exploit.
- Make sure you have the latest version of your operating system installed
- Always download applications from the official app store, and keep the “Unknown Sources” option on Android devices disabled
- Disable autocomplete on forms requesting sensitive data
- Use HTTPS instead of regular HTTP when possible (Notice the S after HTTP).
That said, there is no better solution than prevention, and this leads back to the gaming companies and their development and security teams. MiTM attacks often occur because vulnerabilities in the code allow it. MiTM is a vulnerability mentioned in the OWASP Top 10 And SANS 25 industry lists.
Avoiding such vulnerabilities is possible in the applications’ earliest stage: source code. Using a static code analysis tool to scan the code for potential security vulnerabilities is crucial and can significantly reduce the risks of attacks later on.
To read more about our team’s security research, view how the attacks were done and to learn more about MiTM attacks – download the full free security research here
Latest posts by Dafna Zahger (see all)
- Are You on Tinder? Someone May Be Watching You Swipe - January 23, 2018
- Static Code Analysis: Binary vs. Source - November 21, 2017
- How to Implement DevSecOps Throughout Your SDLC - November 14, 2017