Android Game Keeps Getting Hacked

android security google-play copy-protection
11,842

Solution 1

My idea isnt hacker proof, but might remove some of the interest for hacking the game.

Freemium model

1) Make the first 5-10 levels free so people can learn the game and have some fun without paying. Less will want to hack the first level and the game will spread even further by Freemium model.

Shareware/clustered levelpacks

2) Let part of the game levels or logic stay online. Eg. when reaching for level 5 or 10 or 15, then download small parts for the game, and every time submit the progress-log from the game and validate this against possible values + hashcodes. This could perhaps make it possible to automatically close down of hacked accounts.

Stealth cheater protection

3) You could also just count "small warning flags" that you place around in the game. Dont just check for the "validation" in the beginning, no build these flags into the game logic itself. Dont make it break the gameplay, because then noone will look for it. Then when the user reached the end of level monster, check if there were any logged warning flags. These will not show up inside the game, so the unknowing user with a hacked edition could be playing for hours/days and suddently realize that he/she couldnt finish the game or advance to next level, because the game had a "bug". What the user didnt know was that this bug only occures on hacked clients.

Conclusion

Be smarter than the crackers. Fool them into thinking the job was done. Make a copyprotection and know that the more advanced crackers will be able to remove it. But they probably dont want to play 50 levels to check if the crack also works all the way.

Once they realize this problem, they might start to crack it too. But if you break the game up into level-packs, you can still validate between each pack download. So once you receive hacked client hash data, then just execute an exeception and crash the game on the client. Whoops the game crashed. Dont tell its because its hacked. A program error can happend. :-)

Again, its not hacker proof. But it might annoy them enough to move on to the next game. Lastly, you could also put out regular updates for the game and only the latest version should be able to "post the records" etc. so the active users would have to update to keep in the loop.

Solution 2

I have been doing some apk decompiling and hacking for a while (not warez, but mods and hacks mostly to the google apps and the android framework, always abiding xda-developers policies).

Once you learn to read smali, it is almost as reading the original java code (but with way more LOCs). So, any code you add to check for keys can be found and deleted or replaced. You don't even need to recompile each time to eliminate more than one (some searches do miracles to find similar pieces of code) and, even if compilation/recompilation cycles are needed to find them, it's just a matter of one or two minutes to decompile: everything is automated by apktool and even more by apkmanager.

Having said that, my suggestion to you is to implement some sort of online scoring table or similar, and when the user looks at the score table online, you can check the hash code you implemented and compare it with the associated gmail account. That way you can report the hack to google and send a nasty message to the user of the warez, explaining why that is illegal.

Of course, a new hack could be implemented to eliminate the scoring table, but that would reduce the interest for the warez.

Good luck.

Update

After researching to answer this question: Injecting code into APK (really about the Amazon DRM mechanism), I can tell a little bit on how Amazon is protecting the apps: it includes methods for checking for the installation validity everywhere (you can see an example of how they do it in my answer to that question). This will make any attempt to hack an app not very difficult, but extremely tedious. I believe that is a strong point: hackers won't want to spend so much time doing so many repetitive tasks: it's not challenging and it's boring. The main flaw I see in that approach is the possibility to hack the Amazon app itself to always return a valid answer, of course. But, if you mix your current hash checks with some sort of online check scattered among your methods, I believe the chances of it getting hacked may be drastically reduced.

Solution 3

Taken from my solution from this post Avoid apk cracked

Implement your own licensing library

I'd also refer you to check out this from Google I/O 2011 YouTube recording:

Evading Pirates and Stopping Vampires

EDIT:

The Presentation Notes from Evading Pirates and Stopping Vampires

Some basic keypoints

Solution 4

I know you're not really into obfuscation, but I really need to react to this:

From here, I don't want to obfuscate our code as I have seen it broken before. I want something a little more solid, and I also want to learn how to do this properly.

ProGuard is very reliable in my experience, and this although I use a couple of advanced features such as AIDL and some native code which calls Java method.. It takes a little work to read the documentation and do things properly, but once you're there ProGuard is extremely reliable and also optimizes your app.

Custom security/cryptographic tricks are good, but without obfuscation it's like throwing a stone in the water in my humble opinion.

I've used ProGuard in production for many months, and it just works flawlessly.

If you're into learning, then read the ProGuard manual carefully, experiment with it, and inspect its output logs.

Solution 5

Chance, that there are more talented programmers then YOU (applies for all programmer), is 100%. And if that is true, you can not fix hacking. But you can spend as much time and effort on it to go bankrupt.

If you want to make some serious money you need to do some research on your target user group, and behavioral science. You need to make users playing that bring in new money, and thats it.

Besides, you got it all wrong. Hackers are most active members of your user base, thy just behave in a way you did not intend them to.

Take Zynga games on Facebook for example, do you think thy get hacked? - Sure, and about +100000 players only play, because thy can use bots, that automate everything.

Having huge active user base botnet of actual people, makes archiver type gamers want to play the game - and if thy play, and it looks cool, then Avarage Joe will also want to play. If Avarage Joe plays, then his friends might want to play, and thy probably will not care anything other, then being better then his/her friend, killing time or having something to chat about. Avarage Joe friends will most likely be willing to pay to be better then Joe, but rather thy would like to invest in something that makes them able to be better.

Besides if the real value is playing the game for free, then users who use the free hacked version, will most likely never would have payed for it. But thy are Avarage Joes and their friends just might. So this is like the cheapest commercial you can have. If you want to make money of your large userbase, then just make new versions of the game with small changes to levels and graphics.

Share:
11,842
BajaBob
Author by

BajaBob

Small business owner and avid programmer. My company Hoverdog has several top selling games in both the iOS and Android marketplaces. Developer of the first marketing platform that combines in-game currency with Facebook likes. A great example of this system in use can be found in my latest project "Offroad Nation". It can be downloaded on iOS and Android. Almost 20k likes! fb.com/Hoverdog

Updated on June 07, 2022

Comments

  • BajaBob
    BajaBob about 2 years

    So we've been through this several times now, we release a game (for cheap) and someone hacks it and puts it up on a mirror. We setup Google Alerts for all our apps, so we get told daily who's doing the hacking. So far, we have implemented the licensing service as Google has suggested, our salt is randomly made each time the license is initiated with the unique device ID. We run the check service once, when the application is started for the first time. We then generate a 512 character hash for the key and the stored value that is compared against in SharedPreferences from there on out.

    Now, I know that checking once is probably where the application is being blocked. Our bytecode has most likely been looked at and recompiled without the line that initiates the check.

    From here, I don't want to obfuscate our code as I have seen it broken before. I want something a little more solid, and I also want to learn how to do this properly. I am more interested in learning than making money at this point since only 2% of people will ever look for a hacked version.

    So far, on my own, I have come up with a random number generator that is placed in several startup areas of the game. When initiated (say, 1 out of 50 times) the license is checked. I know this would make it harder to hack because the cracker would have to eliminate each case, compile, eliminate, compile. This method however, is still crackable...so what do you guys suggest? Again, I am really interested in this process of security, so please educate, don't turn this into a discussion on obfuscation or checking periodically based on a timestamp.

    Thanks

    • Thiago Arrais
      Thiago Arrais about 13 years
      If you hadn't said yourself that you are more interested in learning than making money, my answer would be simply "it's not worth the headache". Since you are interested in the headache itself, I say go ahead (but I have no answer for you, will just follow this question like everyone else).
    • Phil Lello
      Phil Lello about 13 years
      If the same game keeps getting hacked, are you confident you haven't got a problem member of staff? Not the nicest thing to consider, but it can happen
    • BajaBob
      BajaBob about 13 years
      Although it is over 20k lines of code, I manage the entire process by myself.
    • Sulfkain
      Sulfkain about 9 years
      @BajaBob then you are the mole :D
  • EboMike
    EboMike about 13 years
    I should mention that a lot of people have a problem with apps "phoning home". Personally, that's stupid - an Android phone 'phones home' in so many ways so often, it doesn't really matter, and what's the issue with an anonymous license verification check? Still wanted to throw that out - some people throw a big stink about "phoning home", especially when it's not disclosed.
  • Isaac
    Isaac about 13 years
    Making your app crash when you detect that it has been pirated may backfire, unless you make it very explicit that that's why it crashed. I recall reading about some game developers who made their game crash after a random time period if it failed an anti-piracy check. Of course, tons of people pirated it but didn't realize that the crashes were because they were running a pirated version. This resulted in a lot of bad press for the developers, and may have hurt their sales.
  • MByD
    MByD about 13 years
    @Mitch - I agree. I gave it as an one possibility, but the "best" technical strategy maybe, is probably not the best "business" strategy.
  • Aleadam
    Aleadam about 13 years
    Well, it's understandable that people may have a problem if the app 'phones home' and does not let the user know. But a web-based score table solves that since is the user who willingly connects
  • BajaBob
    BajaBob about 13 years
    Wow, awesome ideas. Really appreciate all of this, never even considered making the levels and posting them to a server and validating against them. Versoning... great idea. Keep everyone updating, make it unreasonable to crack. Thanks a ton, this will keep me busy for a while!
  • EboMike
    EboMike about 13 years
    True, but once you use the connection which was supposed to "anonymously" upload the scores and send the gmail account hash, it's a different issue. Again: Not to me. I would think this is perfectly reasonable, and I'd personally be tempted to implement this scheme in my own app. The people who complain will be in a minority (and, very likely, purchase the app regardless).
  • EboMike
    EboMike about 13 years
    Sigh, too bad you can't +2 an answer :) One comment: How can you show that the problem lies with the game being pirated? If the game gets buggy/weird on a pirated copy, people might think it's a bug and badmouth the game on forums. I don't think this is such a big problem on Android since there aren't as many forums with a large audience, but I wonder if it makes sense to have a disclaimer up front that "pirates copies might not work right".
  • Phil Lello
    Phil Lello about 13 years
    Why would you decompile the framework, instead of downloading the sourcecode?
  • Aleadam
    Aleadam about 13 years
    @Phil you don't get access to the source code for the touchwiz or sense FWs so if you want to mod a particular phone sometimes the easiest way is to decompile it and change the smalis.
  • Fixee
    Fixee about 13 years
    I can remember a game from 1978 on the TRS80 that would act up randomly if the copy-protection was removed. There was only 1 validity check, and removing it meant you could freely copy the game, but the strange gameplay errors wouldn't occur on legit copies, only on hacked copies. No one thought that it was the developer's fault... we knew what was up.
  • BerggreenDK
    BerggreenDK about 13 years
    @EboMike I think the strong part of my idea for copy-protection is to "act as normal as possible" dont even give the crackers a clue of what nasty protection schemes lies ahead. This would just make the more curious of them hunt the protection. Just for the fun of it. Remember, many of them dont do it for the money, but just because they can show it off. So dont tempt them. Just act casual. :o) Be smarter than them.
  • EboMike
    EboMike about 13 years
    @BerggreenDK: Then again, there's the question - how do you entice a pirate to buy the game? If the game works for a few minutes but then obviously breaks due to your check, they might consider buying the game (there is a certain subset of pirates who do that). If your game is just weird, they might think the game stinks and have a reason not to buy it. Remember - there's a tiny group of people who crack games, 99% of the pirates are people who just download the game from the warez websites.
  • BerggreenDK
    BerggreenDK about 13 years
    @EboMike As I stated in my first suggestion (not trying to be a smarthead here :o) ), my idea isnt fail-safe, but the the Freemium model will allow the "pirate" to play eg. the first 10 levels for free and those should work perfectly without bugs. The bugs shouldnt be introduced until later + if the updates keeps comming, then this would break their progress/account.
  • BerggreenDK
    BerggreenDK about 13 years
    @EboMike Lastly, I dont care if the pirates dont like my game. If they wanna play it for free from Warez, then they arent my customers anyways, so frankly I dont give a xxxx :o) if they say my game is crap everywhere in forums, well, then less pirates would want my game too. I'll focus on developing cool and fun games and then I am sure the real customers would want to pay. Otherwise my game is crap. :o) (and that could also be the deal)
  • TryTryAgain
    TryTryAgain about 12 years
    The links above seem to not always go to the page linked...it seems to only work sometimes and somewhat OS and browser dependent. So, take note of the ending #%3ar.page.15 in the URLs. If you aren't automatically redirected to that page, be sure to look at the link to see where/what page you should be looking at.
  • ChuongPham
    ChuongPham over 11 years
    As of today, Lucky Patcher app has cracked Amazon DRM as well! Aside from ProGuard, another solution might be DexGuard. But DexGuard costs a few hundred euros to buy but one can't be sure that even it can protect your codes from being pirated...
  • yetimoner
    yetimoner over 11 years
    Clarification: while you can root either platform, only a small percentage of IOS users actually will for fear of hosing the install. Also in many parts of the world it's difficult or impossible to pay for an Android app, fueling piracy.
  • BerggreenDK
    BerggreenDK about 11 years
    This was actually one of the ideas from my answer from 2011... why post it again?
  • BerggreenDK
    BerggreenDK about 11 years
    Nice! I see they also believe in Freemium and hiding certain "errors" within the game (just using a licenses technique). I would like a crossplatform solution instead of an Android only license server. But interesting too.
  • Snake
    Snake almost 11 years
    should be the accepted answer. Amazing!
  • Nzall
    Nzall over 10 years
    @Fixee and others The recent Batman Arkham Asylum game had something akin to that: on pirated copies, a crucial move would fizzle and get you stuck pretty early in the game. Then, when someone complained about the "bug" on the forums, the developer could smirk and say "it's not a bug in the game, it's a bug in your moral code".
  • BerggreenDK
    BerggreenDK over 9 years
    btw. its funny, this answer has 15 thumbs up, mine has crossed 90 already and is not consider the right answer :-)
  • BerggreenDK
    BerggreenDK about 9 years
    anything that can be read can also be decompiled, it just a matter of CPU power and stubborness. Obfuscation still lets the code run so while decompiling/deobfuscating the code, the cracker can still compare the running version with the original. It might delay the cracker or stop the less experienced cracker, but it's not failsafe at all.
  • BajaBob
    BajaBob about 9 years
    Answer changed to this. Currently working on my 12th game. The more I read on this subject, the more I agree with this answer (I think the community agrees too). Most importantly, the market has shifted since I've asked this question to the freemium model. People just don't pay for games as much as they used too with all the free options currently available. I agree completely with not providing instant feedback to an attacker on whether their attempts at hacking a game were successful.
  • BerggreenDK
    BerggreenDK about 9 years
    Thanks a lot. Much appriciated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to troubleshoot crashes detected by Google Play Store for Flutter app
Flutter Android: Unable to fetch in-app products from Google Play
Flutter App cannot install from Play Store
Flutter in_app_purchase stuck at queryProductDetails() method
java.lang.RuntimeException: android.database.sqlite.SQLiteException: no such table: media_store_extension (code 1): ,
Can a new Android app replace existing app in the play store?
Flutter App not installable from Google store for Android 12 despite being set to targetSDK 31
An Android app works when installed via Android Studio but shows some settings page when installed and opened via Google Play
Play Store: Publishing status: Removed - APK REQUIRES VALID PRIVACY POLICY​
Flutter: We've detected that your app contains the requestLegacyExternalStorage flag in the manifest file of 1 or more of your app bundles or APKs