Lammert Westerhoff 04 Dec, 2015
Share 
You probably have one of the million games where you earn achievements and unlock specials on your iPad or iPhone. If you develop games for gamers that enjoy to play games that pay real money, you’ve probably wondered about people cheating your games? In this blog we’re going to show you how to try cheating out yourself and how to build secure iOS games.The actual question at hand: how can you break the integrity of an app on iOS?
Cheating is influencing state
A lot of games on the iOS App Store have absolutely zero protection against cheating. Either because developers don’t even consider adding some security or because they might think it’s very hard or expensive to implement. In this post we’re going to be looking at some games that use local state, such as a database or plists (or other formats) on your device. These kinds of games can be cheated by opening up some local files and editing values to your liking.
Influencing the local state
For this example we’re going to use a random game that we found in the appstore. This game does not send any game-related data to the server and thus probably saves everything locally.
We’re using a jailbroken device to be able to access the device file system. This reveals that the game saves a database file in the apps documents folder. When we open this with an SQLite DB Browser we can read and modify the database. In this case the SQLite database contains two interesting keys named registry-stash-stars and registry-stash-coins. We edit these files with SQLite and re-upload the database to the device.
We restart the game and we have 15000 stars and 5000 coins!
Securing your iOS game as a developer
The best way to prevent local state manipulation is, you guessed it: server side validation. Of course, if you don’t want to work with servers, you could also take a look at encrypting your data (hiding it) and then HMAC it (verifying integrity). Don’t forget to store the keys for encryption and the HMAC creation in the keychain. It won’t be watertight but you just got rid of quite some cheaters.
Now you know how to build secure iOS games. If you want to go further, check out our training: iOS Application Security Fundamentals.
Typical security jack-of-all-trades. Hands-on security architect with a nack for security, automation, and risk management. Jeroen has been involved in various OWASP projects. He enjoys a pentest every now and then, while helping organizations to get secure enough. Jeroen is often engaged in knowledge sharing through talks, blogs, projects at github, and trainings. Want to reach out? Check his allmylinks page.
