Security Explained: Android Game Hacking
10 February 2022
Hacking games are all in the setup, and Android Games aren’t an exception. Being hacking experts, we have loads of experience with hacking android games, and here we’re going to break down "how we do it" with our 5 key steps.
Digging your Android’s roots
Rooting is the Android counterpart of jailbreaking, allowing you to install unapproved apps, remove undesirable bloatware, upgrade the operating system, replace the firmware, overclock (or underclock) the CPU, modify everything, and more. Once rooted, the user can now access the system's very basic level, bypassing the user landscape that we regularly see. Here’s where the fun begins.
To get around the Android application sandbox, attackers can root a device, providing them with access to data stored on the device that would otherwise be prohibited. Because Google does not enable users to run programs with root rights on Android, this implies that consumers have no complete control over what their mobile devices do. This can be accomplished in two different ways:
The first method, which is also known as soft rooting, relies on a privilege escalation vulnerability in the Linux kernel or a program that runs as root. Once the rooting program has been granted root permissions, it has complete access to the filesystem. One-click rooting tools are commonly used for this. One-click rooting tools are programs that are installed on the device and exploit vulnerabilities.
The second method is known as hard rooting. The ability to flash the device's firmware is required for hard rooting. Full access to the filesystem is effectively granted as a result of this. A device with a bootloader that can be unlocked or a vulnerability in the bootloader is required for a hard root.
Monitoring the traffic
With Android now successfully rooted, the next task we need to accomplish is examining what traffic is flowing from the app to the server (the back-end it communicates with). We usually set up a hotspot on our PC using a wireless adapter, which the mobile device connects to, allowing us to see what exactly is happening from the mobile device side, what type of traffic is flowing, whether it’s web-based or not, and most importantly, what protocols we need to support.
One of the most reliable network traffic analyzer tools we use to do this is Wireshark, as it allows you to observe what's going on in your network at a microscopic level. Not only can we see what type of network communication is used (whether it’s web or packet-based (TCP/UDP) etc.), but we can also see which IP and port the mobile application communicates with.
Extract APK (game binary) from Android Device
An .apk file basically represents a mobile application as it is installed on a mobile device. Essentially, it’s like an .exe file that is used to run a Windows Program, containing all data required to operate correctly (compiled code, resources, signature, manifest, etc.).
First, you need to enable debug/developer mode on the device. This can be easily achieved by tapping the build number of your device multiple times, which can be found in the settings section. We then need to access the Android Debug Bridge (ADB).
Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device. The ADB command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. To clarify, ABD is not a hacking tool but is in fact part supported by any Android device by default.
To use ADB with a device connected over USB, you must enable USB debugging in the device system settings, under Developer options. You can then move files from one device to the other, while also installing binaries to the mobile device. This is particularly useful for developers as you can download (extract) .apk files from your device.
Decompiling: an explanation
Decompiling is the process of converting binaries and libraries into a higher-level programming language that humans can understand (such as Java or C#). You can almost get the same original code back, that was initially developed. Low-level languages like C++ can only be reverse-engineered and read out in assembly language. During the compilation process, certain information gets stripped, which makes it impossible to recover the original code through classic decomplication techniques.
We do this when we want to crack open the Android’s code and check the inside, allowing us to see what has been developed, what are the functionalities if we want to modify the code and more. This is particularly useful as you can examine and identify the source code and detect where the issues are, and how this can be hacked. We can now make modifications to the application and removal techniques that have been implemented to make it harder to hack the application (such as SSL pinning, root detection, etc).
Signing the app
With our .apk file now successfully modified and recompiled, we then upload our new modified version to the Android Device, which would be the case when bypassing SSL pinning as an example. Normally, if you were to install an application that isn't available on the app store, a warning immediately appears asking if you want to install it. This is a safety precaution to stop untrusted applications from being downloaded, which is very often malware. Android requires that all APKs be digitally signed with a developer certificate that is granted by Android to app developers before they are installed on a device or updated. However, because we’re doing it from our side using a self-signed certificate on a rooted device, we end up bypassing the app store and any warnings that appear and any limitations.
We’ve broken down what this attack does before in a previous blog. Essentially, a Man in the Middle (MitM) assault acts as a barrier between the client and the server in terms of communication. You are the 'client' when you use any platform, with the platform acting as the 'server’.
Essentially, the Man in the Middle impersonates both sides of the conversation. As a client, it makes it look like you've been talking with the server perfectly fine. And the server is confident that it is conversing back with the client. However, both are in contact with this unidentified actor. This implies that anything being sent is available for them to intercept and modify the contents of each message, for the sake of penetration testing.
We utilize this method at Cyrex for two reasons. Interception of network traffic and manipulation of the payload, or data, of each packet. This assault is the best way to understand what traffic is flowing, and how we can change or tamper with it, allowing us to conduct certain exploits and easily identify vulnerabilities.
We’ve previously debunked the myth that mobile devices are more secure than any other device, and as clearly shown, it’s just that easy. By acting like security professionals but thinking like hackers, no android device is safe from our 5 simple steps. With mobile devices being one of the most populated targets for hackers, it is essential you stay alert and secure from these oncoming threats. You can check out our portfolio page and see how we hacked popular mobile games such as Monstrocity: Rampage and Ultimate Pirates.