Exposing Mobile Game Security Issues and Cheat Risks: A Technical Perspective on Tencent's SR Mobile

Introduction

With the rapid development of the mobile gaming industry, various illegal profit-seeking groups, such as cheat creators, game assistance tool developers, and studios specializing in in-game item trading, have taken advantage of this opportunity to enter the market and seek profits. These activities have caused considerable harm to both game developers and players, making security issues an essential aspect of mobile game development that cannot be ignored. This article will discuss how to expose these security issues and cheat risks from a technical perspective.

Eight harms of cheating in mobile games

With the widespread popularity of smartphones and the pan-entertainment market, the mobile gaming industry has developed rapidly. Mobile games have occupied half of the game market in terms of market revenue and user scale. Such a hot market has attracted a large number of illegal profit teams such as cheats, aids, and studios, which seriously affect the revenue and balance of the game, and shorten the game's life cycle. Let's take a look at the harm that cheats have on mobile games.

How can we expose these security issues and cheat risks from a technical perspective in advance? Tencent's SR (SecurityRadar, a specialized technical solution for Tencent mobile game security testing) mobile game security testing team has been exploring and accumulating technology in the field of mobile game security since early 2011. The goal is to discover security vulnerabilities in-game versions in advance, warn of risks, and help improve Tencent's game brand and reputation.

Security Testing, Alongside Project Release

In order to help projects discover and fix security issues before release, SR mobile game security specialized testing intervenes during the stage when the game version transitions to functional testing.

The Critical Path of SR Mobile Game Security Testing

After several rounds of efficiency optimization, SR mobile game security testing has compressed the time for one round of security testing to 3 days, and can produce an "SR Mobile Game Security Testing Report". After the project fixes the vulnerabilities, the SR specialized team will still conduct regression testing for security vulnerabilities and ensure that the project is released according to the version plan.

Exposing security vulnerabilities early can help projects carry out security countermeasures and strategy reinforcement during the development stage, avoiding a passive situation when confronting cheats during project operation. At the same time, it fundamentally reduces the player loss and operational damage caused by cheats.

SR Mobile Game Security Testing Overview

Expert Testing

The need for mobile game security testing mainly involves the testing scope and content of mobile game projects. Expert mobile game security testing services are provided, with Tencent's internal mobile game security testing experts conducting testing, problem communication and follow-up, handling optimization checks, and more.

1. Test design: Design tests according to the content of the corresponding game, find profit points in the game, and combine SR security check items to achieve complete coverage of the game content.

2. Expert peer review: Check for missing risk checkpoints to ensure complete coverage.

3. Test execution: Perform test checks using SR tools based on risk checkpoints, mainly including function modification, protocol modification, memory modification, speed change, script modification, and static vulnerability scanning.

4. Vulnerability submission: Test experts submit vulnerabilities according to the SR vulnerability template and conduct vulnerability rating and content review based on the "Vulnerability Rating Criteria."

5. Security report: Security experts evaluate the overall security of the game based on the identified issues and output a security testing report.

6. Vulnerability regression: After vulnerability repair, resubmit the fixed version for regression. SR evaluates the vulnerability repair situation and provides feedback on the conclusion.

Automated Testing

1. Crash vulnerability scanning service: Use intelligent protocol analysis to fill in fuzzy test cases, send them to the server, and test server reliability and robustness.

2. Protocol/function risk scanning: Learn security risk models through AI algorithms, intelligently analyze game functions and protocol data, and have the ability to output security testing reports within 2 hours.

SR Security Testing Technical Solution

Based on the above planning ideas, the SR team focuses on the innovation of mobile game security testing technology to improve the ability and efficiency of vulnerability mining. The biggest difficulty of the entire technical solution is that mobile games differ greatly from traditional apps, and different games have different gameplay and technical implementations. We need to develop a universal solution to meet the security testing needs of different games. After years of research development and optimization, the SR team has finally achieved compatibility with hundreds of Tencent-developed and licensed games, creating an industry-leading mobile game security testing technical solution.

SR's Unique Security Testing Technology

- Industry's unique security testing technology for dynamically modifying mobile game client programs and object-based mobile game memory security testing technology.

- Several leading automated risk scanning technologies.

- Possesses multiple national-level technology patents.

The SR mobile game security testing team divides the reviewed content into static security vulnerabilities and dynamic security vulnerabilities. Different types of issues will have different testing approaches and analysis methods, and there will also be differences in testing tools and testing methods.

Static Vulnerability Scanning

Mainly through static scanning, the game apk's configuration files, resource files, script files, manifest.xml, and so files are checked for confirmation of inspection items using automatic scanning. (Currently, this content has been integrated into the SR mobile game security testing solution, covering 120+ security check items and information security testing items)

Dynamic Risk Analysis

Dynamic security testing involves a wide range of content, mainly analyzing security risk points based on specific game content and gameplay. Through protocol, function, memory, script, and other technologies, the game server is checked in multiple dimensions to determine whether there are comprehensive verifications or anti-cheat strategies for the corresponding risk points.

Based on the refinement of vulnerability types, the SR mobile game security testing team summarized the risk points generated according to the profit points in the game. Then, in different games, combined with specific gameplay, corresponding profit methods were derived. Usually, the analysis method based on risk points can completely cover the security-related parts in the game. Combined with checkpoints, it generates use cases that can be executed in actual operations, forming a closed loop.

Mobile game security testing also has very high technical requirements, requiring professional technical personnel to perform reverse analysis and tool support. Otherwise, the above-mentioned test points may be just theoretical discussions. However, without exaggeration, SR mobile game security testing already has these technical accumulations. Based on the analysis of test checkpoints, the security testing tools we need include: function modification, memory modification, speed modification, protocol modification, and script modification.

SR Mobile Game Security Testing In-depth Decryption

All auxiliary functions for security testing have been integrated into the latest version of the SR tool. The following sections demonstrate the technical implementation and tool effects of each major function.

1. Dual-end Protocol Modification

The SR tool injects the game's packet assembly function directly, automatically parsing the protocol structure, eliminating the need for testers to analyze binary data for protocol cracking. It can automatically parse the protocol structure even without protocol structure files. Both mobile and web ends can display protocol data. On mobile devices, the protocol-sending effect can be displayed on-site, while on the web, corresponding fields can be dynamically modified with one click, complementing each other's shortcomings.

Judging from the games currently supported and accessed, the SR tool has reached 100% support for the games currently being researched and operated by Tencent, and basically covers all the current game types in terms of protocol types and engine types:

2. Dynamic Function Modification

For single-round gameplay mobile games, dynamic function modification has the strongest vulnerability capability. However, the efficiency of early testing methods was very low, requiring each function to be individually written with hook functions, defining function pointer variables, applying for independent hook resources, and recompiling the code. At the same time, the usage threshold is high, and only professional security testing specialists can operate it. SR's dynamic function modification uses dynamic universal hook technology, eliminating the need for testers to code hook functions.

Solution Effect:

- The dynamic function modification solution covers a total of 81 security risk check items.

- The security audit time for a single version has been reduced from 15 days to 3 days.

- The cost of function modification testing has been reduced by 70%.

3. Memory Object Modification

The industry's first mobile game memory modification technology displays the object list, object attribute names, attribute values, and other information in the game for testers, and allows searching by object unit. This innovative method replaces the traditional inefficient solution of locating target memory addresses by searching for "memory values" using mobile game memory testing tools, achieving a 70% reduction in testing costs for this item.

- Memory Objects at a Glance

  Obtain all objects, object names, addresses, and attribute values in memory.

- Object Data Dynamically Updated

  Dynamically update memory objects.

- Dynamic Modification with Real-time Effect

  Directly modify object attributes, and the changes take effect immediately in the game.

4. Protocol Field Fuzzy Testing

Denial of service attacks, where attackers attempt to make the target machine stop providing services, is one of the common tactics used by hackers. Abnormal player operations, hacker abnormal packets, and batch packet sending may cause server crashes, affecting the normal operation of the game and preventing players from playing normally. In early protocol testing, abnormal packet-sending cases were designed to check whether they would cause server crashes. However, this testing method has low efficiency and covers very few abnormal points. SR, combined with external network fuzzy testing tools and accumulated crash cases from long-term protocol testing, has developed this system.

After analyzing the field types, the system automatically fills in the abnormal type values for the related fields, assembles packets, and sends them to the server for fuzzy testing. This solves the problems of traditional protocol testing, such as low execution efficiency, slow problem location, and limited branch coverage.

The testing process is as follows:

During the fuzzy testing process, a large number of security issues can be discovered without the need for testers to be heavily involved. The system supports concurrent device execution, intelligently allocates test machines to perform tasks, and has high task execution efficiency. After discovering problems, it can intelligently locate protocols and fields, helping developers quickly locate issues. The scanning covers 31 inspection rules, including numeric overflow, SQL injection, format strings, buffer overflow, and has fully covered the types of protocol fuzzy testing, with data still increasing.

Automated Effects:

- Discovered 83 server crash issues through automated scanning.

- Checked all protocol field abnormal value fillings, with an average of 120,000+ abnormal protocol cases executed per game, filling the gap that manual testing cannot complete.

- More than 10,000 test cases can be tested within an hour for a single game, resulting in a significant increase in efficiency.

- Scanning covers 31 inspection rules, including null pointers, numeric overflow, SQL injection, format strings, buffer overflow, and other testing items.

5. Function Risk Scanning Technology

By defining and classifying a large number of security vulnerabilities, risk definitions, and feature definitions, pattern recognition technology is introduced to establish a mobile game security risk analysis model. This automatically analyzes high-risk functions in the game, effectively helping testers save the most time-consuming risk analysis process, reducing the vulnerability testing time for a single mobile game version from 3 working days to 1 working day.

SR Mobile Game Security Testing Support for Projects:

SR mobile game security testing scheme has supported all mobile game projects researched and operated by Tencent in terms of tools, relying on its own technical accumulation to improve its professionalism and continuously maintain the vulnerability discovery rate. At present, the vulnerability detection rate of the projects audited by the SR mobile game safety testing team is 100%, which has been recognized by more and more projects. Through the security test of Tencent's high-star mobile game, 2213 security vulnerabilities were found, and the overall data showed an upward trend. While paying attention to operational retention and income, these data are also worth considering!

Through data analysis, we found that high-risk vulnerabilities are more likely to be discovered during the mobile game security testing process, and the risks they bring are more fatal. Within Tencent, through the promotion of SR mobile game security testing, these security issues have been fixed in the project teams, creating a fair competitive, secure operating game ecosystem for Tencent games. Now, mobile game security testing has officially entered Tencent WeTest, formally opening security testing capabilities to the outside world. Vendors in need can contact us.